Analysis Overview
SHA256
3e66131bb29804bf3fd4a1550c916a767d35729f73ba0cd77b904872c9bebe95
Threat Level: Known bad
The file 03b3994449556eb9937fb8baa0ffbffa was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 20:53
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 20:53
Reported
2023-12-30 03:22
Platform
win7-20231215-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe
"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Bp2nfTtUJa2.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmdDBd18SDUl.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkEqkoDeQEU8.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jym5a0QNLHRS.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6acYAAQSq2SG.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\18ZIle8psmyg.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XbzgDeiGlc7n.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\O53NPGrZamwn.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyXQPj22pM6f.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKrAKlAcQjLE.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HD58Ja4KwEA9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B1X4J9lCc2S.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKrcwCTD9cUA.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wD6pHQ8wuhWk.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lkl1RPCFHdtJ.bat" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
Files
memory/1696-0-0x0000000000D30000-0x0000000000D9C000-memory.dmp
memory/1696-1-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1696-2-0x00000000004C0000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 8b7e418a22d865cec6c71cf4065670cd |
| SHA1 | bfee39fb95357b1d26b1a0d63c3be1c419bba863 |
| SHA256 | 67608e9feb50730d82c4b5d8b3733d12be5d67c5c58c495a300109671954daf8 |
| SHA512 | 182aa721316e58831aa0ffd8fde4fb7b70585f46e2b73a3ec89421a63afe51d0b4a1117b9e9f848f3b1cec06242423b783fd4060b2d7a29706fdfe488d1faa5b |
memory/1696-8-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2476-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2476-10-0x000000001B050000-0x000000001B0D0000-memory.dmp
memory/2476-7-0x0000000000900000-0x000000000096C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | eba770f04e0dc08010259aaccce23bc3 |
| SHA1 | 059b2a1be4de5d6bb7042a97eb6191424e4bf1cb |
| SHA256 | d44e9e5cc320a88fe5735e3df59fc7f654583e6fe5752a4deb8c5505a6f1fe2a |
| SHA512 | 6772c6454ba9d58d093010bfc9740f6e94ec11bfa9c5af5be089467b9ef96b821ea3616dec3b4bce3642cb112b9ae9251345225adad87f126c3f2be8be8d4766 |
memory/2476-20-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9Bp2nfTtUJa2.bat
| MD5 | e64e876b923c627d47089d8d8fd64bfa |
| SHA1 | 5c6ad0928a1ce788821bb515e6f835225e552668 |
| SHA256 | 80317a3d292db75885c2707c6560d8b6bdae6ee10c940ef23e1d6d53151c3914 |
| SHA512 | 665ee0fd06420f76213fb2e2184f8803434eabac430ab3a508fa80bcd10fbd252133abe31b80a7d18ea6d9f75f8809706eec2db4f90f453dadcff320d0f022f2 |
memory/2600-22-0x0000000000F60000-0x0000000000FCC000-memory.dmp
memory/2600-24-0x000000001B050000-0x000000001B0D0000-memory.dmp
memory/2600-23-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 52eb749199e45b55a03ee798d4160729 |
| SHA1 | 9ae69eeb659e2ace8b013e52d7d42d68714c8d0b |
| SHA256 | 72697bd2d29f7b5385c779c8888e82ab5432c34d4a1734409941b58504a32092 |
| SHA512 | 4737c6c79be8e935108290fef46aaa9801e4b8bbf00e7588516f671ecfcd5c7e651ac1b1c34e2d3d936a0c6bcb5ede0a8c03833b4d600f10622e5924f3d6aaea |
memory/2600-34-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cmdDBd18SDUl.bat
| MD5 | c1ac00a0803f375fa3e0664b413a18fe |
| SHA1 | 8319b9e5c048060f878ee567f11aad0b17129c56 |
| SHA256 | c2ef2d5510c89a7e4326b78a63ce465ef51908b909af8bef7cdc4233f90c39bc |
| SHA512 | 3d7f6b5109cf0c49aefa1445644d937807c59c2a5409a0c3f10d7a91b414db8e77b5742f7381a34aed174adc9f94dcb9564ea61fce77bd47f6fe6fed3624b8e9 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 919ff31916e6655a9f966f90230a95fd |
| SHA1 | 5fda646e0197a076d04872602490938088af7932 |
| SHA256 | 431ad43f8cd1d1dafb9fa324e1cea70ee6e54d72a41195fd122c6b33876f5b72 |
| SHA512 | d2e57dd0ac4f6a94cfda37c6c69ae35da422fbfa3b203bdea22f63238f6921d0dd4e41800dcdf39db1ceab18aa196526d7a439128d3fde70955ca98711c087b4 |
memory/2936-36-0x00000000000D0000-0x000000000013C000-memory.dmp
memory/2936-37-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2936-38-0x000000001AD00000-0x000000001AD80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WkEqkoDeQEU8.bat
| MD5 | 5f5bb1bd14cecf84adb53bb5f6dec29c |
| SHA1 | a21de33013edc6166fd10c38975cdfa75d940e73 |
| SHA256 | b13e365e5f2e421d781aa07c1be81a4ea7a54a5c1b9b3280163106d9c79886e5 |
| SHA512 | cc74279ebdfc59eb31d9dec3fcccf71d024fe03e6c745f25e99446d12e7026e37c141d53905c6595b32b89dcba47c518b0c4557db1f99d84339d534bf65847cc |
memory/2936-48-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1628-50-0x0000000000A50000-0x0000000000ABC000-memory.dmp
memory/1628-52-0x000000001AE00000-0x000000001AE80000-memory.dmp
memory/1628-51-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 497c5b80b0353ef88f46c46444a2930b |
| SHA1 | 6981add38a6998b24f839a2812a3c23318915458 |
| SHA256 | fd6cb5c5e44ea6c8c6ab8e38dde02ddf7f56c0965fd53e5306df7ca528463fef |
| SHA512 | b66ee764b1db8404b0bce8e8219052b571b35ffdab8188ec0b4d42e1a5574985c1e8c0ba553d53bf5f5cc620147c8348c0d03cf04f48ea3fc09cad7f717f928c |
C:\Users\Admin\AppData\Local\Temp\Jym5a0QNLHRS.bat
| MD5 | f07b22557b0aa85fe74d6f28a025ab5d |
| SHA1 | 49195ef2e3a8be3e8bead57c80f9ab18bf274d6c |
| SHA256 | 7744e5586b9086b9531fe0fd13017e74ef820664f7d40e9735c9c8ca02db01e4 |
| SHA512 | 3e6733ead3cd70dc49fb8746eab43c1806ec6a9f88d0300879e24527fab0a03f399bbca097d36c32055fe543932767b3447fcf745aa49abecf9f7b43b0bb809a |
memory/1628-62-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/752-65-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/752-66-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/752-64-0x0000000001230000-0x000000000129C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 2d9ed6a3441f0ff1ea31e83bf47d585a |
| SHA1 | ff5b26cd492bacc4e5060341859763bb5945bf33 |
| SHA256 | 47e4a284c99435f0c61167c387855a0bc411abd24965aee0bef463fb6acb292e |
| SHA512 | 953205cdd4a880292288944c5223cb7951aeac831ffaa518b60853693cd43803dfc2ea0d5fe0f52ac0a743c4988b21e4358a0f462ba6fb44e011f0093cd60b60 |
memory/752-76-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6acYAAQSq2SG.bat
| MD5 | bfd0823e1b8bc38ca51407169e8e0f3a |
| SHA1 | ba119074467343806d7e71124a0ff829398b29d4 |
| SHA256 | 2e318868a3152c68f9c8f8fe0fde538f6cf8175ac9d2c6f5d1669f85bfa8b414 |
| SHA512 | e12ea194f409ad89b4af313e7114356c2b1dce0e4018e6fb677c90a108977aaab32c174709c0fb3dcecb5747e5e99ad481165e8f21c42d7e83550085097720e4 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | ddb0f4d2e1b6e1a67e2abd59c1baa5bc |
| SHA1 | 8a61a41ab0a34f2e9cef9c06e1288a49b5f13707 |
| SHA256 | 618290deecc60ee312e6c1ffa0a72237b2d7b9fe2be957eed4a3b3f6fac1ef01 |
| SHA512 | 51d10c215f573915c1d3c9705371898059a45f35eb7608b3403f23d90bb297a0ccd5bab752b1f7136f3f9323480683ffa4424921652fe5c9f483d188eb7ddeda |
memory/1052-78-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/1052-79-0x000000001B090000-0x000000001B110000-memory.dmp
memory/1052-89-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\18ZIle8psmyg.bat
| MD5 | b3171cf9d40e555217eaa762cbba5f76 |
| SHA1 | e1354ef51c6a8bedab567e21fac0bf3de46c7139 |
| SHA256 | 0659566ebf6c881721d3b420cdcc950e3927dfcd0d5f37da9873a27f7e97dacb |
| SHA512 | d359d3dfb0361b9b6825b00d9c88818eb312f4ebaa46e2c34b9b0cad812c724faba8278d66653610ca0ea559c675981f79bb1c1e05d03a05f2002245ce0937d1 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 936e3bdadee1ff23f016a42a81bd5a49 |
| SHA1 | 589f34bbfa8c139e9dfbbaf9aa620d52770bd50a |
| SHA256 | f2aa9de2cec5efa96d12dd5b0c7de96d9ad253d881ca4722136386fafbbfaeb9 |
| SHA512 | 17842935de79b769f9a085ae1c8f21bccc19d13cec4fd4f0a37a01fe890897c44b2c407f50eb5e90d4c7166fe2ad7f2bb15eb194b5950f52be2c32f8cfae3aa4 |
memory/1808-91-0x0000000000BF0000-0x0000000000C5C000-memory.dmp
memory/1808-93-0x000000001A910000-0x000000001A990000-memory.dmp
memory/1808-92-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/1808-103-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XbzgDeiGlc7n.bat
| MD5 | 81e060fc13ed3cabfeb1cd61682beb93 |
| SHA1 | b588669191396ebae29889ac035a4801193d3206 |
| SHA256 | 00b9221d25cf089b46442e253f62b395c1c945335b72883ba43a772bfe19fedf |
| SHA512 | d99901d51877555f384c6775b807ae8abd7f64191b90f090783fd97e5d383734dce926c44cb8cfbd1d8de73a83f1df54304425ba7b97f40a7354041fe8baaaf9 |
memory/2788-106-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/2788-107-0x000000001B000000-0x000000001B080000-memory.dmp
memory/2788-105-0x0000000000E30000-0x0000000000E9C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 9a8ed93b572d27a90d79e5590efca552 |
| SHA1 | 023575a94013d9ef392512fe6aaa090db04c1f54 |
| SHA256 | e31d5cdfc49a099cc8f825befd1858f7814b96715613a3cc42fc6b81a9d50b9f |
| SHA512 | 05e07de5407ae3da03a55f69a5a9f4748251700ad6f550a1efb007e16ac0367180120cdabc8207cc20638a6dd60d8ba8a38921193e13815990890c17e42fc548 |
C:\Users\Admin\AppData\Local\Temp\O53NPGrZamwn.bat
| MD5 | 6e569935f826c3a859568b75c5d1a429 |
| SHA1 | a702e583abb15ea133c18ce66b9ec39f487dfefa |
| SHA256 | 736941c56c2985751f432c731d4f4cac7670ee4eecaf04c32d56a3854fc68cbb |
| SHA512 | aaa133cc4acc6d197807d90aece9b029802f705532a711afeb876cbd408397b28c859f93b43d2259da2b2ee8fc716a42e687fe5d8986748eecc2a5f44994b171 |
memory/2788-117-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/1876-119-0x0000000001330000-0x000000000139C000-memory.dmp
memory/1876-121-0x000000001ADD0000-0x000000001AE50000-memory.dmp
memory/1876-120-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 9e85275231a75fbd401dda2b578cd8f0 |
| SHA1 | 299536c87d53c3951250ef0802c2fb9c4f874b21 |
| SHA256 | 730761b659fe7a639e9e3e0368d96a02b4e90d11d4762702d4dd6058211a1003 |
| SHA512 | 6eb5da403ca9c79152e8d4e3ae367b4f85defd81d13ac1e92c2f923c59b753bdc7eed05a0dbfa0be046a92e61cfa2f622a600623cae64c2c53211605dbd2c77e |
memory/1876-131-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HyXQPj22pM6f.bat
| MD5 | 77116280343e090d10a62f8c44b5067b |
| SHA1 | 245f59b47eb8af8c5a8e7ce93ab4ce9d5b2b4c92 |
| SHA256 | 52421dad277c3a6fd57b0789104c65fa4b9c90fab9cca4b3f6cecf3acdb5674d |
| SHA512 | e509d83590c2233fef8a99d02b427b8ce451db624bcb50c025fb764996ca0fc44bc38b88ad2ac28afd6417521a72da99300ce3c87785d15e0e7613939101e4e7 |
memory/1996-134-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/1996-135-0x000000001AD90000-0x000000001AE10000-memory.dmp
memory/1996-133-0x0000000000360000-0x00000000003CC000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 6f00578d80883e8b3d20d9b57c082141 |
| SHA1 | fb005805e124428aa7406bbe9d8ff941ff1ec487 |
| SHA256 | 9aff924407aa85b2517e4aab0502e919022dcb7f8db0d76a96482df36334bc97 |
| SHA512 | 61d6cb87dd9a255d0e279943a2ff3c29befb010c8c17a9d3bf354b5cde11e04017d641f5eb95981533fbb8b440fc438e6b27652745f40f9dc394b3554f83560b |
memory/1996-145-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hKrAKlAcQjLE.bat
| MD5 | 8dd2f697de22c5ab2f02990ca7d514d4 |
| SHA1 | 18202e0fa1b84840dd391830dfad01a49c7f3065 |
| SHA256 | ade12b6714e7fe1e876fe2052635c5800bc3069b6516fcd2d1b4c6b1d1ea797e |
| SHA512 | 115afbc3e4f290089551739ec2b3138b5e655a078687c93aee5fa0bafb33e4e26ca8ff61a8b8408c899f62bce77405a441d241524a81bf256e38684c1a30be41 |
memory/3024-148-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/3024-147-0x0000000001130000-0x000000000119C000-memory.dmp
memory/3024-149-0x000000001AEC0000-0x000000001AF40000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 704a290fa51e246e7ea44d46a6fbd1d9 |
| SHA1 | 274304febb06aefda08172e938f99fb7b92c8b99 |
| SHA256 | 0fb3576af7e42b9ed191b3362ccd6aac9031ad420641bd19e90070005f1bb1d5 |
| SHA512 | 47200eadb08bcefc7222627186f8a795d64e273f952b67e8dd141cd63ddf1912aed06024797e284ed32484a49e4a94590a3050a5a4e47c78da2fb616b802274e |
memory/3024-159-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD58Ja4KwEA9.bat
| MD5 | c5471e97e6b179f8a9b4c158ab1b6b7f |
| SHA1 | 62399f7c1c1bab7166cabeeba2541d361b471c5d |
| SHA256 | 951687141ddebd91775acfe55c9307ab39fc6fc03814b9f502c5a4aeeda8c72e |
| SHA512 | 609bd75bfeb3f8b87e1efe27c56264216ae067ad2f17485c1dd7595142b8f0bb1a78bfec358818bf35ce2d1481f80f57aeb0350fabd8a2d24fbfcbac660bf04f |
memory/452-161-0x00000000000B0000-0x000000000011C000-memory.dmp
memory/452-163-0x000000001AFA0000-0x000000001B020000-memory.dmp
memory/452-162-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 6944dcacf924460e0226ef0618472ee1 |
| SHA1 | 5867ad8a215459fd4f303c8af456df1e258d1cf9 |
| SHA256 | 79e136bac48689125ff3d9d0d134cd90b4889ea4673c9bacf10b4191b14017ec |
| SHA512 | 04f27ea1d2d5ea4564cda345b94fd062b76d6116b646ffcffe8a57aef34df9a8c8aad35dcda893fe812d416916b6bbb44c847cc910ae57989ffe20f88a9b4d95 |
memory/452-173-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8B1X4J9lCc2S.bat
| MD5 | 182d5021ac7a3fcf33c7107c47fcd329 |
| SHA1 | 233d3cf96f9ff686c1713f7ee34b1a59c9484e65 |
| SHA256 | 8ac1abf3e885ca348018942e715791dd6fd3fe893437a61432c0b0da76381d31 |
| SHA512 | 74fbebda69cf77121e7d2d61cdb7e53b9a020518776cbb2d13c153df9ad7086a6755c40a31f8848fb825d81ef32476b6215d7a8a80375d31c82c67a5cfe1d3fc |
memory/2420-177-0x000000001A7D0000-0x000000001A850000-memory.dmp
memory/2420-176-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2420-175-0x0000000001180000-0x00000000011EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 474428b77d0307911388f60df1eae277 |
| SHA1 | 766a553043f96d7a64603c43b57907e13da101fa |
| SHA256 | 92bb8a56c3e6ddc7249cb3aecb48b5d86f95562f0adc8085af7aad121ee81228 |
| SHA512 | fb792826eff6fe8654e461c88d3fbe1aebcfca3c2af1ab2f2571171a8f9bc97ef6b07f9f15f1dccfce62c5fbcc0bef03a5889d4491b2bf881f1e7d8274f8655f |
memory/2420-187-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rKrcwCTD9cUA.bat
| MD5 | 43874bafc98932e1b51612e2ca7d3046 |
| SHA1 | c25c2997da4988f13e2dd58a39df61fbb55792bd |
| SHA256 | 856c9cd407d946353f15ca6f85b07d2ab83af02c27ed9d469bd920cc50d412b1 |
| SHA512 | df26300c8e2a260fc0178ad493ccd9d28801b04a6aa41961f761c7f0a203db4d388a4ae374e5228666e394c3d58ee363c6bd6f3e38f46b92da82890252e96ed9 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 2074c340598fc920d91be1da6f93530e |
| SHA1 | 32a0fd9e35e1cf8636d057fadb8da36a92e62415 |
| SHA256 | 89d54f8b1bc623987d951354f710f90767ee1e9c3c414618a010eeb5ef913731 |
| SHA512 | 14370a804b7e91fdb693234195151f8f607927169978d7329020f7d1a1e9714e8b27d74718e940c73d8127ea4560bf72d93485216dc014a78487ae7835bf7443 |
memory/2820-189-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/2820-190-0x0000000001100000-0x0000000001180000-memory.dmp
memory/2820-200-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wD6pHQ8wuhWk.bat
| MD5 | 4e10a84d138238aed4ab3529c7ca6f77 |
| SHA1 | 188ed5047b8ec46a0ce6cac14d28459e9fd4eb48 |
| SHA256 | 872c791ba038939ed3213378a52fbb8d7da063f7d0888d364f5522583efcf34d |
| SHA512 | 99d80a1c2de47b13a2486e1f36158eee187f0537b31f55481c257c2cec19d2fa95885c42951460dc6afa29c117d0b0cbf55d9c74c5a0a540654b1f411a032291 |
memory/2476-203-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2476-204-0x0000000001210000-0x0000000001290000-memory.dmp
memory/2476-202-0x00000000012D0000-0x000000000133C000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 1b4897d67d70b78e9dc06dfb1eb8b599 |
| SHA1 | 2335f4272bd14dc4922d3bec6727b121b6d8a0a0 |
| SHA256 | 501cfda7db7e8b0d7b278b677af5dd4e8811a204fbec75199c9b2f34148b655d |
| SHA512 | cd058fb2127354d623540de7bd6c52214c6463fe846ecd3d2e858391c8407a79dcbbfe4fca50fa084b9a60e0abe8bd31d63351fbb58da85525011ec21911d1c6 |
memory/2476-214-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lkl1RPCFHdtJ.bat
| MD5 | 15293f7a2e588470c8e2d730869a090c |
| SHA1 | c0aba93b93f49cc30927e3eafb86223d2f0c2382 |
| SHA256 | a3ae2af4a1ac39abf206aa2b3791e5e9b2d7f3e289c2d580af676da11a45a6cb |
| SHA512 | ddec91a70049fed4089a73b62406c8c946dc6f57eed519c94acf0b775f9cb105b6df786f23ac6a564c8ac0a87b0a774c081f9124d8fb9d0c0e6e7fdecd4293d3 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | e44a7d922251a67d82d7faf3db62e780 |
| SHA1 | 3766b0492b1d464530f06c2ad507401a3e221038 |
| SHA256 | 806598219f6748f1512c6a8902d3b67cac533bebcd706bc6510748eeedb1dac6 |
| SHA512 | a124a1199bafca6220c327587383c3cd72d45316ab72dfd58085aa99085b54d9d02773de2cc76ea2188e914ba78b7566573399a813fda3e473b49ae476668538 |
memory/2772-216-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/2772-217-0x000000001AF20000-0x000000001AFA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n6VQwNXj9cAs.bat
| MD5 | d1f0c2f5ff624ff9223c00d9140b8dd3 |
| SHA1 | a3118a32dcbfecd3a98e99e8b44002f495a2716e |
| SHA256 | 1e4be50480719528e13b4577b1427989a5a3035db09f2c850d23e5bd73f548bd |
| SHA512 | 841204f4e52b320d376bd05df56fa70776931bebfb2a58b5b5292a68973ea11ce6f2c228b40d9eee3571ce7d722d9106e460dcb3981b44d2fa6d39d8acdd25a5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 20:53
Reported
2023-12-30 03:23
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1248 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1248 wrote to memory of 4068 | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | C:\Users\Admin\AppData\Roaming\directx\directx.exe |
| PID 1248 wrote to memory of 4068 | N/A | C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe | C:\Users\Admin\AppData\Roaming\directx\directx.exe |
| PID 4068 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4068 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Roaming\directx\directx.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe
"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAu48vdKLYnJ.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sE8hKRsp3IYP.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LVyPVCk77NWq.bat" "
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4PJb5cRc15XL.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0QTeqpnOy5bH.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6BFwVcr4SwFw.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqTaqXWpYKVU.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JTydaqoCWyox.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ubfuvxHEssUk.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzySlYhdPgLR.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0WEj6h1R9uvl.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdmtmNyq6HlJ.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EstC8ugQ3G6N.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dhFKWjBHlOAE.bat" "
C:\Users\Admin\AppData\Roaming\directx\directx.exe
"C:\Users\Admin\AppData\Roaming\directx\directx.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZBfU9kAveWu.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | forthacks.hopto.org | udp |
Files
memory/1248-0-0x0000000000100000-0x000000000016C000-memory.dmp
memory/1248-2-0x0000000000A10000-0x0000000000A20000-memory.dmp
memory/1248-1-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | ddf36ac759eb755a7bc5cf308d452e0c |
| SHA1 | c14f52922af2d31b151124fbe16f81f12af4b824 |
| SHA256 | 7faaeeff5ea7931e9138182fd3db049c7f45a0d8f536117dde970b2bb86e5622 |
| SHA512 | 1df06eae9b90d98782c0347d57309d3e006fb35ac4d8478277a7266d767dfc504f55797238a37223852537561eb14e71e3daa95133cef70a16f1bd64fecea195 |
memory/4068-10-0x0000000002300000-0x0000000002310000-memory.dmp
memory/1248-9-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
memory/4068-8-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | fd72cc2209f89040f0ccf4c3852b85a8 |
| SHA1 | 089df9f3ea9a05ed679c73bc47ad56e2eb8f933b |
| SHA256 | e09449ccd4be7041a644724989b5a65a5672e9012002c24686f4c1ec19d281a3 |
| SHA512 | a56fee2a1319ae091663d65f89445a799e500741b38d3a7d788605c8c4209a987a5c9d39ded1cb33c712d367322286b69f87a2a44b968c575ed67f49ab93d38e |
memory/4068-11-0x00000000022B0000-0x0000000002300000-memory.dmp
memory/4068-12-0x000000001B400000-0x000000001B4B2000-memory.dmp
memory/4068-18-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JAu48vdKLYnJ.bat
| MD5 | 770d332368f990504cd0a5497979d902 |
| SHA1 | 34cc3635187c6730970c304b8c84585e76f3848a |
| SHA256 | a0cf5d11908884f2e124bbdacd1a33907eff12a54b294ab05ef0e00ed047dad1 |
| SHA512 | a48642b4b1adcd2d4aea7d1fd77668a73a6368b8f578b5b7943ad758bbe6c6e94b55987b1db38b028f0ee92379a8531118a4dd48c94dac7fc85811a62c2bd42a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\directx.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/1604-22-0x0000000002980000-0x0000000002990000-memory.dmp
memory/1604-21-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 5bb7480b114dcca1114947d3310121d2 |
| SHA1 | ad04de31564fef2a95d0affabdfcda8b93115c85 |
| SHA256 | 1aba2cc3c4a5eaa3fa8bc850515897c41015e7a265a16d1dce7bb6a0b8c12bf5 |
| SHA512 | 835c4189acf144bda1889725c86f02ef968b4bac5c2d209c51ad03f21c18ffdcfb0e1584ec2daa47becd33a4248a0439881c63608d7a063af125604c1b45e965 |
C:\Users\Admin\AppData\Local\Temp\sE8hKRsp3IYP.bat
| MD5 | afa85934606fc42b3516598876271382 |
| SHA1 | 677df11495e5b9f59852245674d380e9e621f756 |
| SHA256 | 6ba87c1302c5e24e43702b58f2a76b26049d2d23b8f37e3d62cfd320be8117f6 |
| SHA512 | 6bf7824a634207b2056fd1f7cd65985ec38b739216905bb40215db660063dc7fc16c3190d77df2f0954322815c47f6521184f06319c2887e142da5d730196318 |
memory/1604-27-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 5c4c695586558c44d53f07915c8f7d74 |
| SHA1 | 2311fff3b543ddb3b2d1c5c1143600fc9026d7a5 |
| SHA256 | 6e293cfa3eaf856646e43a8e2e56818fb684a2a92eeddb1d049263eb96680154 |
| SHA512 | daa6dc0305cf18d1b97f43d1a92522420e9e9e90a1b948c1cd11f4816eac7c45d8d703ba9634a5481989aefd2e709f19b89a6893fab8f6f58c946564a95fec6a |
memory/4716-30-0x0000000000F50000-0x0000000000F60000-memory.dmp
memory/4716-29-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
memory/4716-35-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LVyPVCk77NWq.bat
| MD5 | b697a368c56dbc7ae6e9d5c570ecc616 |
| SHA1 | 97e49d905158991b018809131215934623a20081 |
| SHA256 | ba04615cf1896963afbf760e0b013af8b9b4a5d1c31942542c4d8428377b96d0 |
| SHA512 | 1e003d057016b525c6bba7f405158918fd3b49c54c6ae5f649de7f266469c9db725b748f11eb63a4759efb158760298b88ab09ce9817511ba1989736e79d5f35 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 1f4186175deea006a899d4c4019b53f7 |
| SHA1 | 67672ea57b1d549ab8c70685cf7782d2b7720d74 |
| SHA256 | 2166f553f3620ba794083e82fef8f3cc42711c730e9d5c5046a795967160c8ab |
| SHA512 | af77d120c107f26edec89818eb9c9b897049233a8738d0766ebd2a1798c3b65c79ee62379af8609acaf62d879c8766f93230ce9a9fc30d5d5c6e11f7fb098914 |
memory/3176-38-0x000000001B4F0000-0x000000001B500000-memory.dmp
memory/3176-37-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
memory/3176-43-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4PJb5cRc15XL.bat
| MD5 | 986ff7056253ef6d3eb66e8ce528598e |
| SHA1 | 9fddc3ed8a4abcf28517c05b073b84630469e805 |
| SHA256 | f579e3258e23dc110924e14c6384e1515e26d12fc5a896cc45c1427a676b63f5 |
| SHA512 | 3ec006401501ea2f007598355de17522a92fbd795344415cbde12e031403191960e386fcaffdffb131f4a1b1715dbe622fd95f81f151be08ce988d2c49ac72eb |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | cba047192b3c1fff06c58bd9b09892e4 |
| SHA1 | d30df78bf5a27a732594e6d4a731a42f97738014 |
| SHA256 | 3b448f7e209cb0e4ca8113d57842d58a82f576c390ace9a5fca65fc8f4973b2c |
| SHA512 | 8a14f160284b427776df213128a47e36cc502fc98508a6165ec26e8f7a8284f3116bc0e79c0437926833217066c2dd43b82b1ba9bacd9b0c9ec4d929f62d0032 |
memory/3996-45-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
memory/3996-46-0x000000001BC90000-0x000000001BCA0000-memory.dmp
memory/3996-51-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0QTeqpnOy5bH.bat
| MD5 | df477eb9bc76d2925c75f8429918f2de |
| SHA1 | 1ac25ef755e840b26f0bef2849a0ece235380570 |
| SHA256 | 336e44642304d4f202fe2eed86c7135fd0ce0162aece2d70fb1c1b42510c39a7 |
| SHA512 | d6a17b219c3fb19080030630d62743168da4ecf49a2ac507684fac709e6084800e12986dd13c96fc5470aa93eada3022f52dd63e0c24a36345f4af13e77ab0ac |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 720400a8710ea889d20fa2884d676f97 |
| SHA1 | 67b9f1d42de39251d80558896e4b2338d237e9bb |
| SHA256 | 80c1ec1def8951f5aa73737de0e89f7aadc7755c2f0f8dad8bb42a3672d570f1 |
| SHA512 | d2a722520924f8bee2ef9a1c88ae7bb4748fca26274bc738c0002c01f7c3a28ba75da2ec223c757cf74f324431c8ae1b20b797e8f525e10b483456dc9de991f1 |
memory/3860-54-0x000000001BB00000-0x000000001BB10000-memory.dmp
memory/3860-53-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
memory/3860-59-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6BFwVcr4SwFw.bat
| MD5 | ddaacbec648d6e2894b3fb3753448c4a |
| SHA1 | 3d7418962022cd5c67ea15586b8856a84f40a32e |
| SHA256 | fc7de24bbdbb05387d35dac81d508c0d6187f8c018668aa9716945c1a8e7cd19 |
| SHA512 | 898cbb8f6dc5febc5279bf842e337d6cc15f980aade2d20b8b945b4502b36739f4bf875689e6822e708b891ca2a4d44a69ff0cc9123b88af4e5dd5fb481771e7 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 56f8b1d0a9b28d54efb13b1b484ee3f4 |
| SHA1 | e74ba733a237f0fbed1a2c144975dbfc3d319e47 |
| SHA256 | 80f3cd725119ae6a1775c132783686777aa5064023f6cf113932cbc465e87fcc |
| SHA512 | ea8e0f609523e4a96c99bc6a4d0b06574f9ef9e58a8d6266e8f0f802c078ded3da3907cf6d5b4b8ab22c4814611a66807915dae4b86dfbc41f29559020c8997d |
memory/2944-62-0x000000001B9A0000-0x000000001B9B0000-memory.dmp
memory/2944-61-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
memory/2944-67-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CqTaqXWpYKVU.bat
| MD5 | 26150f48dc930319cd0f192e0af15bca |
| SHA1 | 67f1ec6a4a3db82ca22de9e2e9254983e4460850 |
| SHA256 | 9687bffed136e207cf238b976d5477b2d7a27734b10a9441b48315665ed0f919 |
| SHA512 | 9497af814785a9f5f9c0cd121545d1c28c1b4d8f5af5b9f699b355b50930dacafff99e6611ec786ae4aee7eaa2c49703874fbd94ae775ce2c673e872ba0c40a6 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 8a6f1f6e5652f557627a7b1ef91d1286 |
| SHA1 | dd97e543dd80c0b30901226623242c769bbfbf71 |
| SHA256 | 3521ca3170662e924c895daadf69aeb230c19a597f9c2b802da11303591fae06 |
| SHA512 | a575cb0971f5688c82ac713c5d0582bc83a06d1bbb09e2a95c7576008cffca817ab4ea358b5830fa036dd14f6b43b08e564d95c2eb323a88e378e07f867ef55d |
memory/1520-69-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
memory/1520-70-0x000000001B990000-0x000000001B9A0000-memory.dmp
memory/1520-75-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JTydaqoCWyox.bat
| MD5 | 08218782a2b9dcb14716160ff022b0e0 |
| SHA1 | 6204ca96598d548d4a63e03894b942296507ecd3 |
| SHA256 | 64bfc7e1623d0d040f4922022faddab35b1adc66facd9092bd6c722d70f166a1 |
| SHA512 | 6fdb8adf682a5799c5bdaa90b2819ca52723c780d6a92ac292995647a6bd607ee798bcc7e638d335bd700fbd01779fdf675103be9d886004abc31e5db00162eb |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3112-77-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
memory/3112-78-0x000000001AF30000-0x000000001AF40000-memory.dmp
memory/3112-83-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ubfuvxHEssUk.bat
| MD5 | abc65d844aa0c0cd3f888e297eb0e76f |
| SHA1 | ce1e852eb1aec31a4aa70ba850c833e8a68e041c |
| SHA256 | 2bab37c66f036bddb0566ff8fd1399e210dc2ddb39168f3fc59b2c414c388c0c |
| SHA512 | 76d16b84f22fb83292c11ed16ab09b6bcc7f97ee3f675c7358557cabc2af4acd2b347c8f7a0b884923d1fa6c9b470287469dd8d98746fe93a928dd0c544b137f |
memory/1124-85-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | dac05037da8877d7512be14b91f84d69 |
| SHA1 | 92f397ef5cd632575390ae58b84cbe391e0fd9e9 |
| SHA256 | ce9da36acb20b9569bba50be0fe71899efe3e440a63ad21ad9d8746bf1092f78 |
| SHA512 | 0e2e5b55a4551c18bf10dfc6fcd39f6d7db290d0a70fbe68261b07e035af37c46a492d122e63514e7f77af4183ed362d73c69dfc7998e0ec325c3dba35f8a82f |
memory/1124-90-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yzySlYhdPgLR.bat
| MD5 | ee868b2778e63e369bf238dba5581adb |
| SHA1 | 3854b6a2b9d9ed84177bfe6e3d41cf2f1488dd3d |
| SHA256 | 36dc6b03b78f16363aaf86b1f8f810540940514f6ca6f41f4e1430b506905d60 |
| SHA512 | 7d4d4df914029f6997d9b78258cd767ee076a2f1d2808f9934658dec29e0c830ea668281003f77a5948cc644c975566ad241f89628a354c1a7467bc5ea543220 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 6e0b87ae93a09e6e83d4efe3dc96c137 |
| SHA1 | 7542a4834e8126f9417c818017f12c6858203979 |
| SHA256 | 7ad11b56f11c79265fedce3952068d88ecc61bb24f45608be2890981f810da3c |
| SHA512 | d67ce404ac95c7fb2789a067ef4919a086e22c2dfcf018274c3f47a8001615789320f4673b54faffe0c4c800a9dd0af119e832d04b29f5af3257993bc9b9b60f |
memory/5000-92-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp
memory/5000-97-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0WEj6h1R9uvl.bat
| MD5 | 6f2fd646d28f58dc663c3dce900b2640 |
| SHA1 | c06ee845d0976c0c03029a7de274c8af4134c6f2 |
| SHA256 | c0e0086694cb792abd0835536b127100f9d9def8bcc4390943fb114fa550952d |
| SHA512 | ec63c9c3902e67a3042f715a5b81ad3c2e713c28f9b2614188e6306877bb1ac79f78992c820d082f14dcb7b914c29d5551b8aec4e3739f796e4e9a2c3e516407 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | d006864b0a7b34e31b4272a095a6b1bb |
| SHA1 | 4feda322be57c5433d7938f5f4ba4bfa2b28deb3 |
| SHA256 | 3cdb0159558976e456f63c9a36c18cb3c863dec010c42ce4351d92ef014106fc |
| SHA512 | 60b701f4bf34e37cda09202b5829e92db6867bd98e54a3f80e00f72bba04f9305bfd6041ea40fceadae1256fca7a49b9f70a8290083e5963c974e7fa3d73ea87 |
memory/4556-99-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
memory/4556-100-0x000000001B0B0000-0x000000001B0C0000-memory.dmp
memory/4556-105-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CdmtmNyq6HlJ.bat
| MD5 | 44ba43ce493f5c6919ef4edf7b74164d |
| SHA1 | a9efd8b8ac802eb0fa2d06bade7e30ffea223b31 |
| SHA256 | 4ab84dd9793028c8ed0e90b7560b1b4c6c5a45916b930896a71ebb7e485c52fe |
| SHA512 | ffe49b45cca07f8565c0a3d257331f81fbdbf62adfa9b89c0b13efd042ac0ec2596df566083b58f75b4bc4335f8226a8849ba6e2f0e3796793c5cb4490477177 |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 392eed999115fb3a71d4be5cbe0f2bd5 |
| SHA1 | fc4af2380091c8c6e34cc9dc16a4702aa89611c5 |
| SHA256 | f2910061dea6618219f3dc03b83400ad151f7b23fcda27f2bd90494ceb15e3d2 |
| SHA512 | e8716ad4174f1f5b65d04a29e1904078764c4a8c4fb9e76658a39cca23be15f86fdd528469a72ae817885c6e8c4fc1acc7ebdd1fff0ca1e851f7e860334d3a04 |
memory/2420-108-0x000000001B630000-0x000000001B640000-memory.dmp
memory/2420-107-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
memory/2420-113-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EstC8ugQ3G6N.bat
| MD5 | 05a225909f3ff315bbff048295a004e6 |
| SHA1 | 22fc3358a4c0395c92f81c06d7a747823103716b |
| SHA256 | 83f81056a9feb6fb4a8f34c5cc5e1a163a4782812198b40e47987c3cf7a5cc5d |
| SHA512 | 06ba9b0207965c6a69eeac5e7629e1935875b46382ff55695525334b03d9500a919458160033b60c9550a51798ac1b142de99ac6d120a446429f616900db8eee |
C:\Users\Admin\AppData\Roaming\directx\directx.exe
| MD5 | 07a9617e77c5ad8edc85305b565ad913 |
| SHA1 | 73c793c7626967f12cc2917bbf53cc55babd81e1 |
| SHA256 | 64ddc7b2e5a3353f6de51b45397b7071e351dfa1e9a737fce977ffc119cad6cf |
| SHA512 | 1cfee9e83dc2cb70a54d4e2bd8bda7654c89e2b87edcbe0fe7a2ff5a02b7400ee3dcd3859667dbdddb2199748a6368e30e8bdf1ce450d352c5a9932e321e5590 |
memory/2040-115-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
memory/2040-116-0x000000001BA80000-0x000000001BA90000-memory.dmp
memory/2040-121-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dhFKWjBHlOAE.bat
| MD5 | 541183da3df393c5f7189f0330734ba6 |
| SHA1 | b9b137ef8bc8a7ff784510b42cdfb92b08ec6996 |
| SHA256 | 0327d7a9484bdae64f947307f4e384ad1f367f77e2e5d238cbde6e6b5e8d8852 |
| SHA512 | a00c68f31db406dcd10ddc52346013fee6274f0e3b00f1848e186c96f4035764631db3ba9421b351d20509fe4325a63ede2a942c609129e0d9db0e26f4cd430c |
memory/1508-124-0x000000001B7A0000-0x000000001B7B0000-memory.dmp
memory/1508-123-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
memory/1508-129-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QZBfU9kAveWu.bat
| MD5 | 673f5f5cdded3541670d6599d128e777 |
| SHA1 | 7b798ff5a4c9200e84e27557bf0369b0b67fdfac |
| SHA256 | e15c46c935d2c2ca910a678b518f050d36ac148ae5df7af286df8a1db17b2474 |
| SHA512 | 1cb9bb98d3d4b58a54f4bd3f88c5a61ea8db90c16a34cafc966b2bdacc2ed9d7ef0e86216470bf0abf8fce42e9cd4f9080590ee996672c35bbf01a7e34e62c9c |