Analysis
-
max time kernel
72s -
max time network
222s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
06-02-2023 16:25
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.0.0
Office04
carolina-electro.at.ply.gg:23401:23401
OkYd8B8aPhYGPmBnJV
-
encryption_key
ifxqeoBwByp64Ea77ScW
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windowsprogramm
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-123-0x0000000000BD0000-0x0000000000C1E000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 5004 Client.exe 3136 Client.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 44 ip-api.com 65 ip-api.com -
Drops file in System32 directory 8 IoCs
Processes:
Client.exeTitanic.exeClient.exeTitanic.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SubDir Client.exe File created C:\Windows\SysWOW64\SubDir\Client.exe Titanic.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe Titanic.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe Client.exe File opened for modification C:\Windows\SysWOW64\SubDir Client.exe File created C:\Windows\SysWOW64\SubDir\Client.exe Titanic.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe Titanic.exe File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe Client.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4484 schtasks.exe 1792 schtasks.exe 4836 schtasks.exe 4176 schtasks.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 87b800d0a7aed801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "382546640" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013456" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08a442a503ad901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "690076108" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003913b8acde4a2c429f2477495db7783f000000000200000000001066000000010000200000002217170582aeadcc4f3c06ec564a4f114e33b6e7f90071955e111d63185c1f76000000000e80000000020000200000002c570d7fa0848c1912a1beb27936771095a002098259e3ef318a3b78baf1c3d020000000be6ea58738951a7e85b6b3680c09659179eebb97c02b903faf0d3ea0b1d57a60400000006499aa9276ee4613abc8b7e8fefdfb4e7acb876269ea75873a2c635757011f6931b254250432fdaa3f78d2ccd2fdb35d684891fef900d59cbd5cd8a4326e29b1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53A59263-A643-11ED-98FA-52E72BE7C633} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013456" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "382540322" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e2522a503ad901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31013456" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "681951316" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{59CEAFEA-3D10-4355-B57F-E9EEB7A6CD4C}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "681951316" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003913b8acde4a2c429f2477495db7783f000000000200000000001066000000010000200000004d8d17baab02f68f273d1d5bf50e38f9cc280fcaada33019f4ebae2349359742000000000e8000000002000020000000affaa2c953739389022aeac97dadb6c2cfe54fac7bfeb3d5418dce046117dfe420000000502d507801eb638459840798275b3f34b4d701d7791bb734c2a20d4d39af8add4000000064b91368525ef37c9cd2642b311d881568e27787863f56eae74096d237226c3259dd563314329a1542c6a4f4ee6a92879975f9e660e9852ba28cd99bc01648e3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382499493" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31013456" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "690076108" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings iexplore.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Titanic.exeClient.exeTitanic.exeClient.exedescription pid process Token: SeDebugPrivilege 1340 Titanic.exe Token: SeDebugPrivilege 5004 Client.exe Token: SeDebugPrivilege 4692 Titanic.exe Token: SeDebugPrivilege 3136 Client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 2700 iexplore.exe 2700 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2700 iexplore.exe 2700 iexplore.exe 3808 IEXPLORE.EXE 3808 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeTitanic.exeClient.exeTitanic.exeClient.exedescription pid process target process PID 2700 wrote to memory of 3808 2700 iexplore.exe IEXPLORE.EXE PID 2700 wrote to memory of 3808 2700 iexplore.exe IEXPLORE.EXE PID 2700 wrote to memory of 3808 2700 iexplore.exe IEXPLORE.EXE PID 1340 wrote to memory of 4836 1340 Titanic.exe schtasks.exe PID 1340 wrote to memory of 4836 1340 Titanic.exe schtasks.exe PID 1340 wrote to memory of 5004 1340 Titanic.exe Client.exe PID 1340 wrote to memory of 5004 1340 Titanic.exe Client.exe PID 5004 wrote to memory of 4176 5004 Client.exe schtasks.exe PID 5004 wrote to memory of 4176 5004 Client.exe schtasks.exe PID 4692 wrote to memory of 4484 4692 Titanic.exe schtasks.exe PID 4692 wrote to memory of 4484 4692 Titanic.exe schtasks.exe PID 4692 wrote to memory of 3136 4692 Titanic.exe Client.exe PID 4692 wrote to memory of 3136 4692 Titanic.exe Client.exe PID 3136 wrote to memory of 1792 3136 Client.exe schtasks.exe PID 3136 wrote to memory of 1792 3136 Client.exe schtasks.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/zaQ7z0W0y8/Titanic_Executor_zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Temp1_Titanic Executor.zip\Titanic Executor\Titanic.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe"C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Titanic Executor\Titanic Executor\Titanic.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\SubDir\Client.exe"C:\Windows\SysWOW64\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windowsprogramm" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5aee722fcdc90fcfba473126bf8bed12b
SHA1df62a695b671a248b19f76cd6d420d1bcee9c27d
SHA256e759250bcfe36a1a745bc1cc241dea84b6c791141e93b322bd5027d62d3a4807
SHA512e51c09b66f06f247289841147cc6ebf2b70308cfac2c500915ed2b4775813e48422e60779e50351ac668bab548afaccb822a1486ae8242bc37697f16f3a994cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83C70E8C88F4EDFCC5A1D8BB501E4F5FFilesize
503B
MD525d33dae751cbd07365603e16286611f
SHA1ad58f8b465b89966be060cd2a8535f5ce0489900
SHA25693a323259ec08332b80ea989e17eba54d9c5c38e854e2818a1bf465a456cff08
SHA5124e6b2e08d0ff35b313d56cb823b883a64df757592fdfe36a11ddf6c457fa36e81a32e5ba437e600275edf5a5d95acc6e16cf7849a86a3ddfe93b16ba500750cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD50d07cd17f037901194d56ab168245056
SHA1ef5554c262c8a2d1bdf7dd908a89b8daae4a3bf7
SHA256c8aa0362c19c64c7c312da308f8c93bbac7e5075b0382894802a5a771ef83f4c
SHA5123940d9c35bc6938fe01dcbe1246902a1c558e9442e8454e1ce6b39136d884213f4f69257453f0f1211e08f92a1373960063099c27164602128995a2128feef53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD55d4c0ecd101eaac0db438a5aaabe657c
SHA14b439061269d1ef6f4bb8f422008463d033b36fd
SHA25625041e8a1279a465f3a6d68c24e10abbcd786754c3cc7326b6e7338c65ebf6a7
SHA51249502d31310d24ff096e5a35a7852829b9c6224f15f58921762dacf69494d144d14e78fc9511ff49b4cea91b1c9068522c0e98d2ee3a578fa59d45aac6336db8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83C70E8C88F4EDFCC5A1D8BB501E4F5FFilesize
548B
MD5f92237e4ffbd70a15578cf70744214d8
SHA17102599b0f225c3a4103793e5da908a9dcd6414c
SHA25604965c14c63bee0917991f7bd826ec7ebb1484d10ad592185b9e5cba42d46b92
SHA51232a37226483a5433dff1572babf7b7921d333ed963e720fff2cb8a0815e6e781191dcfc7c76638006b30bae7c04ae06e55fdb2e872d4b936f0ab0685bb2584b3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
1KB
MD52084114b78ccf73ee8078ef5bf4b7d74
SHA1eded76fd1d86bbe9d65af3b4cc96e7132f2263f2
SHA25630be0a591fba0f80b7721a762bac72bacf0be5621013f3042f4df91218973353
SHA512257bf8db85935743ee6dcee5fb596d67d613da2b32167f505217aa82eddabf2a45430e5f36739780cef5481d21f8e74736f6cae542b913b9849b2151d2d81f7d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Titanic.exe.logFilesize
1KB
MD52084114b78ccf73ee8078ef5bf4b7d74
SHA1eded76fd1d86bbe9d65af3b4cc96e7132f2263f2
SHA25630be0a591fba0f80b7721a762bac72bacf0be5621013f3042f4df91218973353
SHA512257bf8db85935743ee6dcee5fb596d67d613da2b32167f505217aa82eddabf2a45430e5f36739780cef5481d21f8e74736f6cae542b913b9849b2151d2d81f7d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DRT5BYOV.cookieFilesize
615B
MD5a1e266d8cc1b9da1071524502f3f21ea
SHA19aa7be3300f49903cda8ae5a2a58a402054acf43
SHA256600b71aeffa7d31e7e9ec10ebb21e80975c23c6e91a53124d99f7391bdb3666a
SHA5121837be13f4a65df04fe835fca59c227c5bc71a4bed0b0799699028fbf028c9f3f2aa142e2f9a04e4b53b8de5bc45c1ccc5abbbb4a0afc201ba1bf79eaee26508
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YEQ7XTTE.cookieFilesize
179B
MD548f7533ebae91f1dff4731330aa784dc
SHA10cdddb314cc30cbe15b6517cb0e24e2be6bbd156
SHA256d1c2cbe1d826e24ab9c60f17d06f0821f8a6b2324f49bc7b0e7e88554076c6e5
SHA512f6119af8c87d16d11ae5d13ef3de2c521bc5cf89fa03f043efff03c96fc189e406f5dfdf84c9c86219feda30fe0fc80185f9abdfed84e52863fcaeb1183f3741
-
C:\Users\Admin\Downloads\Titanic Executor.zip.0lm00y9.partialFilesize
1.4MB
MD56d14da8713af771ddbf18cf2fb6bdbcf
SHA177c5c34a792365fe4750d5eb88a95921a1cfbc2e
SHA2564e3858077015ee9f76644a201950ec32a8cbeca990249ecbf9557c07f3755054
SHA512cbfaad81dc70d79bd93563c23d0413a59fff92c927fdd90980a456479caefae17fb7eab838965937de705e3c9c5a364a3f306524ab73aed72e6a7abbc98e51ce
-
C:\Windows\SysWOW64\SubDir\Client.exeFilesize
144KB
MD515a30a813f678a8ab9aca4be692f4c65
SHA1765b2c3ee5767deb5391eb279638d4fdc9be2f84
SHA2566e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7
SHA512d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93
-
C:\Windows\SysWOW64\SubDir\Client.exeFilesize
144KB
MD515a30a813f678a8ab9aca4be692f4c65
SHA1765b2c3ee5767deb5391eb279638d4fdc9be2f84
SHA2566e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7
SHA512d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93
-
C:\Windows\SysWOW64\SubDir\Client.exeFilesize
144KB
MD515a30a813f678a8ab9aca4be692f4c65
SHA1765b2c3ee5767deb5391eb279638d4fdc9be2f84
SHA2566e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7
SHA512d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93
-
C:\Windows\SysWOW64\SubDir\Client.exeFilesize
144KB
MD515a30a813f678a8ab9aca4be692f4c65
SHA1765b2c3ee5767deb5391eb279638d4fdc9be2f84
SHA2566e53086e992ec6cc22daa224c5b6919e8a990f5ab4d73cd66db1454c395fd7b7
SHA512d1af6f894ef06625cc86998f5e302eda5c9968d90c33ba9c5f5f4c739fda49fb13e7045ff8b19b5e7347b208689c8a4f7b2dfef8379ef9394fea8876ce853e93
-
memory/1340-123-0x0000000000BD0000-0x0000000000C1E000-memory.dmpFilesize
312KB
-
memory/1340-125-0x0000000000FF0000-0x000000000102E000-memory.dmpFilesize
248KB
-
memory/1340-124-0x0000000000F90000-0x0000000000FA2000-memory.dmpFilesize
72KB
-
memory/1340-122-0x00000000006D0000-0x00000000006D8000-memory.dmpFilesize
32KB
-
memory/1792-140-0x0000000000000000-mapping.dmp
-
memory/3136-136-0x0000000000000000-mapping.dmp
-
memory/4176-130-0x0000000000000000-mapping.dmp
-
memory/4484-135-0x0000000000000000-mapping.dmp
-
memory/4836-126-0x0000000000000000-mapping.dmp
-
memory/5004-127-0x0000000000000000-mapping.dmp