Malware Analysis Report

2025-01-18 04:29

Sample ID 231229-zn91habfe9
Target 03b3994449556eb9937fb8baa0ffbffa
SHA256 3e66131bb29804bf3fd4a1550c916a767d35729f73ba0cd77b904872c9bebe95
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e66131bb29804bf3fd4a1550c916a767d35729f73ba0cd77b904872c9bebe95

Threat Level: Known bad

The file 03b3994449556eb9937fb8baa0ffbffa was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 20:53

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 20:53

Reported

2023-12-30 03:22

Platform

win7-20231215-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Windows\system32\schtasks.exe
PID 1696 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Windows\system32\schtasks.exe
PID 1696 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Windows\system32\schtasks.exe
PID 1696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 1696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 1696 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 2476 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\schtasks.exe
PID 2476 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\PING.EXE
PID 2476 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\PING.EXE
PID 2476 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe C:\Windows\system32\PING.EXE
PID 2880 wrote to memory of 2788 N/A C:\Windows\system32\PING.EXE C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 2880 wrote to memory of 2788 N/A C:\Windows\system32\PING.EXE C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 2880 wrote to memory of 2788 N/A C:\Windows\system32\PING.EXE C:\Users\Admin\AppData\Roaming\directx\directx.exe
PID 2880 wrote to memory of 2620 N/A C:\Windows\system32\PING.EXE C:\Windows\system32\PING.EXE
PID 2880 wrote to memory of 2620 N/A C:\Windows\system32\PING.EXE C:\Windows\system32\PING.EXE
PID 2880 wrote to memory of 2620 N/A C:\Windows\system32\PING.EXE C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe

"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Bp2nfTtUJa2.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmdDBd18SDUl.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkEqkoDeQEU8.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jym5a0QNLHRS.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6acYAAQSq2SG.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\18ZIle8psmyg.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XbzgDeiGlc7n.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\O53NPGrZamwn.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyXQPj22pM6f.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKrAKlAcQjLE.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HD58Ja4KwEA9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B1X4J9lCc2S.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKrcwCTD9cUA.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wD6pHQ8wuhWk.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lkl1RPCFHdtJ.bat" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 8.8.8.8:53 forthacks.hopto.org udp

Files

memory/1696-0-0x0000000000D30000-0x0000000000D9C000-memory.dmp

memory/1696-1-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1696-2-0x00000000004C0000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 8b7e418a22d865cec6c71cf4065670cd
SHA1 bfee39fb95357b1d26b1a0d63c3be1c419bba863
SHA256 67608e9feb50730d82c4b5d8b3733d12be5d67c5c58c495a300109671954daf8
SHA512 182aa721316e58831aa0ffd8fde4fb7b70585f46e2b73a3ec89421a63afe51d0b4a1117b9e9f848f3b1cec06242423b783fd4060b2d7a29706fdfe488d1faa5b

memory/1696-8-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2476-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2476-10-0x000000001B050000-0x000000001B0D0000-memory.dmp

memory/2476-7-0x0000000000900000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 eba770f04e0dc08010259aaccce23bc3
SHA1 059b2a1be4de5d6bb7042a97eb6191424e4bf1cb
SHA256 d44e9e5cc320a88fe5735e3df59fc7f654583e6fe5752a4deb8c5505a6f1fe2a
SHA512 6772c6454ba9d58d093010bfc9740f6e94ec11bfa9c5af5be089467b9ef96b821ea3616dec3b4bce3642cb112b9ae9251345225adad87f126c3f2be8be8d4766

memory/2476-20-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9Bp2nfTtUJa2.bat

MD5 e64e876b923c627d47089d8d8fd64bfa
SHA1 5c6ad0928a1ce788821bb515e6f835225e552668
SHA256 80317a3d292db75885c2707c6560d8b6bdae6ee10c940ef23e1d6d53151c3914
SHA512 665ee0fd06420f76213fb2e2184f8803434eabac430ab3a508fa80bcd10fbd252133abe31b80a7d18ea6d9f75f8809706eec2db4f90f453dadcff320d0f022f2

memory/2600-22-0x0000000000F60000-0x0000000000FCC000-memory.dmp

memory/2600-24-0x000000001B050000-0x000000001B0D0000-memory.dmp

memory/2600-23-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 52eb749199e45b55a03ee798d4160729
SHA1 9ae69eeb659e2ace8b013e52d7d42d68714c8d0b
SHA256 72697bd2d29f7b5385c779c8888e82ab5432c34d4a1734409941b58504a32092
SHA512 4737c6c79be8e935108290fef46aaa9801e4b8bbf00e7588516f671ecfcd5c7e651ac1b1c34e2d3d936a0c6bcb5ede0a8c03833b4d600f10622e5924f3d6aaea

memory/2600-34-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmdDBd18SDUl.bat

MD5 c1ac00a0803f375fa3e0664b413a18fe
SHA1 8319b9e5c048060f878ee567f11aad0b17129c56
SHA256 c2ef2d5510c89a7e4326b78a63ce465ef51908b909af8bef7cdc4233f90c39bc
SHA512 3d7f6b5109cf0c49aefa1445644d937807c59c2a5409a0c3f10d7a91b414db8e77b5742f7381a34aed174adc9f94dcb9564ea61fce77bd47f6fe6fed3624b8e9

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 919ff31916e6655a9f966f90230a95fd
SHA1 5fda646e0197a076d04872602490938088af7932
SHA256 431ad43f8cd1d1dafb9fa324e1cea70ee6e54d72a41195fd122c6b33876f5b72
SHA512 d2e57dd0ac4f6a94cfda37c6c69ae35da422fbfa3b203bdea22f63238f6921d0dd4e41800dcdf39db1ceab18aa196526d7a439128d3fde70955ca98711c087b4

memory/2936-36-0x00000000000D0000-0x000000000013C000-memory.dmp

memory/2936-37-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2936-38-0x000000001AD00000-0x000000001AD80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkEqkoDeQEU8.bat

MD5 5f5bb1bd14cecf84adb53bb5f6dec29c
SHA1 a21de33013edc6166fd10c38975cdfa75d940e73
SHA256 b13e365e5f2e421d781aa07c1be81a4ea7a54a5c1b9b3280163106d9c79886e5
SHA512 cc74279ebdfc59eb31d9dec3fcccf71d024fe03e6c745f25e99446d12e7026e37c141d53905c6595b32b89dcba47c518b0c4557db1f99d84339d534bf65847cc

memory/2936-48-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1628-50-0x0000000000A50000-0x0000000000ABC000-memory.dmp

memory/1628-52-0x000000001AE00000-0x000000001AE80000-memory.dmp

memory/1628-51-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 497c5b80b0353ef88f46c46444a2930b
SHA1 6981add38a6998b24f839a2812a3c23318915458
SHA256 fd6cb5c5e44ea6c8c6ab8e38dde02ddf7f56c0965fd53e5306df7ca528463fef
SHA512 b66ee764b1db8404b0bce8e8219052b571b35ffdab8188ec0b4d42e1a5574985c1e8c0ba553d53bf5f5cc620147c8348c0d03cf04f48ea3fc09cad7f717f928c

C:\Users\Admin\AppData\Local\Temp\Jym5a0QNLHRS.bat

MD5 f07b22557b0aa85fe74d6f28a025ab5d
SHA1 49195ef2e3a8be3e8bead57c80f9ab18bf274d6c
SHA256 7744e5586b9086b9531fe0fd13017e74ef820664f7d40e9735c9c8ca02db01e4
SHA512 3e6733ead3cd70dc49fb8746eab43c1806ec6a9f88d0300879e24527fab0a03f399bbca097d36c32055fe543932767b3447fcf745aa49abecf9f7b43b0bb809a

memory/1628-62-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/752-65-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/752-66-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/752-64-0x0000000001230000-0x000000000129C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 2d9ed6a3441f0ff1ea31e83bf47d585a
SHA1 ff5b26cd492bacc4e5060341859763bb5945bf33
SHA256 47e4a284c99435f0c61167c387855a0bc411abd24965aee0bef463fb6acb292e
SHA512 953205cdd4a880292288944c5223cb7951aeac831ffaa518b60853693cd43803dfc2ea0d5fe0f52ac0a743c4988b21e4358a0f462ba6fb44e011f0093cd60b60

memory/752-76-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6acYAAQSq2SG.bat

MD5 bfd0823e1b8bc38ca51407169e8e0f3a
SHA1 ba119074467343806d7e71124a0ff829398b29d4
SHA256 2e318868a3152c68f9c8f8fe0fde538f6cf8175ac9d2c6f5d1669f85bfa8b414
SHA512 e12ea194f409ad89b4af313e7114356c2b1dce0e4018e6fb677c90a108977aaab32c174709c0fb3dcecb5747e5e99ad481165e8f21c42d7e83550085097720e4

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 ddb0f4d2e1b6e1a67e2abd59c1baa5bc
SHA1 8a61a41ab0a34f2e9cef9c06e1288a49b5f13707
SHA256 618290deecc60ee312e6c1ffa0a72237b2d7b9fe2be957eed4a3b3f6fac1ef01
SHA512 51d10c215f573915c1d3c9705371898059a45f35eb7608b3403f23d90bb297a0ccd5bab752b1f7136f3f9323480683ffa4424921652fe5c9f483d188eb7ddeda

memory/1052-78-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/1052-79-0x000000001B090000-0x000000001B110000-memory.dmp

memory/1052-89-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\18ZIle8psmyg.bat

MD5 b3171cf9d40e555217eaa762cbba5f76
SHA1 e1354ef51c6a8bedab567e21fac0bf3de46c7139
SHA256 0659566ebf6c881721d3b420cdcc950e3927dfcd0d5f37da9873a27f7e97dacb
SHA512 d359d3dfb0361b9b6825b00d9c88818eb312f4ebaa46e2c34b9b0cad812c724faba8278d66653610ca0ea559c675981f79bb1c1e05d03a05f2002245ce0937d1

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 936e3bdadee1ff23f016a42a81bd5a49
SHA1 589f34bbfa8c139e9dfbbaf9aa620d52770bd50a
SHA256 f2aa9de2cec5efa96d12dd5b0c7de96d9ad253d881ca4722136386fafbbfaeb9
SHA512 17842935de79b769f9a085ae1c8f21bccc19d13cec4fd4f0a37a01fe890897c44b2c407f50eb5e90d4c7166fe2ad7f2bb15eb194b5950f52be2c32f8cfae3aa4

memory/1808-91-0x0000000000BF0000-0x0000000000C5C000-memory.dmp

memory/1808-93-0x000000001A910000-0x000000001A990000-memory.dmp

memory/1808-92-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/1808-103-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XbzgDeiGlc7n.bat

MD5 81e060fc13ed3cabfeb1cd61682beb93
SHA1 b588669191396ebae29889ac035a4801193d3206
SHA256 00b9221d25cf089b46442e253f62b395c1c945335b72883ba43a772bfe19fedf
SHA512 d99901d51877555f384c6775b807ae8abd7f64191b90f090783fd97e5d383734dce926c44cb8cfbd1d8de73a83f1df54304425ba7b97f40a7354041fe8baaaf9

memory/2788-106-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/2788-107-0x000000001B000000-0x000000001B080000-memory.dmp

memory/2788-105-0x0000000000E30000-0x0000000000E9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 9a8ed93b572d27a90d79e5590efca552
SHA1 023575a94013d9ef392512fe6aaa090db04c1f54
SHA256 e31d5cdfc49a099cc8f825befd1858f7814b96715613a3cc42fc6b81a9d50b9f
SHA512 05e07de5407ae3da03a55f69a5a9f4748251700ad6f550a1efb007e16ac0367180120cdabc8207cc20638a6dd60d8ba8a38921193e13815990890c17e42fc548

C:\Users\Admin\AppData\Local\Temp\O53NPGrZamwn.bat

MD5 6e569935f826c3a859568b75c5d1a429
SHA1 a702e583abb15ea133c18ce66b9ec39f487dfefa
SHA256 736941c56c2985751f432c731d4f4cac7670ee4eecaf04c32d56a3854fc68cbb
SHA512 aaa133cc4acc6d197807d90aece9b029802f705532a711afeb876cbd408397b28c859f93b43d2259da2b2ee8fc716a42e687fe5d8986748eecc2a5f44994b171

memory/2788-117-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/1876-119-0x0000000001330000-0x000000000139C000-memory.dmp

memory/1876-121-0x000000001ADD0000-0x000000001AE50000-memory.dmp

memory/1876-120-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 9e85275231a75fbd401dda2b578cd8f0
SHA1 299536c87d53c3951250ef0802c2fb9c4f874b21
SHA256 730761b659fe7a639e9e3e0368d96a02b4e90d11d4762702d4dd6058211a1003
SHA512 6eb5da403ca9c79152e8d4e3ae367b4f85defd81d13ac1e92c2f923c59b753bdc7eed05a0dbfa0be046a92e61cfa2f622a600623cae64c2c53211605dbd2c77e

memory/1876-131-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HyXQPj22pM6f.bat

MD5 77116280343e090d10a62f8c44b5067b
SHA1 245f59b47eb8af8c5a8e7ce93ab4ce9d5b2b4c92
SHA256 52421dad277c3a6fd57b0789104c65fa4b9c90fab9cca4b3f6cecf3acdb5674d
SHA512 e509d83590c2233fef8a99d02b427b8ce451db624bcb50c025fb764996ca0fc44bc38b88ad2ac28afd6417521a72da99300ce3c87785d15e0e7613939101e4e7

memory/1996-134-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/1996-135-0x000000001AD90000-0x000000001AE10000-memory.dmp

memory/1996-133-0x0000000000360000-0x00000000003CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 6f00578d80883e8b3d20d9b57c082141
SHA1 fb005805e124428aa7406bbe9d8ff941ff1ec487
SHA256 9aff924407aa85b2517e4aab0502e919022dcb7f8db0d76a96482df36334bc97
SHA512 61d6cb87dd9a255d0e279943a2ff3c29befb010c8c17a9d3bf354b5cde11e04017d641f5eb95981533fbb8b440fc438e6b27652745f40f9dc394b3554f83560b

memory/1996-145-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hKrAKlAcQjLE.bat

MD5 8dd2f697de22c5ab2f02990ca7d514d4
SHA1 18202e0fa1b84840dd391830dfad01a49c7f3065
SHA256 ade12b6714e7fe1e876fe2052635c5800bc3069b6516fcd2d1b4c6b1d1ea797e
SHA512 115afbc3e4f290089551739ec2b3138b5e655a078687c93aee5fa0bafb33e4e26ca8ff61a8b8408c899f62bce77405a441d241524a81bf256e38684c1a30be41

memory/3024-148-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/3024-147-0x0000000001130000-0x000000000119C000-memory.dmp

memory/3024-149-0x000000001AEC0000-0x000000001AF40000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 704a290fa51e246e7ea44d46a6fbd1d9
SHA1 274304febb06aefda08172e938f99fb7b92c8b99
SHA256 0fb3576af7e42b9ed191b3362ccd6aac9031ad420641bd19e90070005f1bb1d5
SHA512 47200eadb08bcefc7222627186f8a795d64e273f952b67e8dd141cd63ddf1912aed06024797e284ed32484a49e4a94590a3050a5a4e47c78da2fb616b802274e

memory/3024-159-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD58Ja4KwEA9.bat

MD5 c5471e97e6b179f8a9b4c158ab1b6b7f
SHA1 62399f7c1c1bab7166cabeeba2541d361b471c5d
SHA256 951687141ddebd91775acfe55c9307ab39fc6fc03814b9f502c5a4aeeda8c72e
SHA512 609bd75bfeb3f8b87e1efe27c56264216ae067ad2f17485c1dd7595142b8f0bb1a78bfec358818bf35ce2d1481f80f57aeb0350fabd8a2d24fbfcbac660bf04f

memory/452-161-0x00000000000B0000-0x000000000011C000-memory.dmp

memory/452-163-0x000000001AFA0000-0x000000001B020000-memory.dmp

memory/452-162-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 6944dcacf924460e0226ef0618472ee1
SHA1 5867ad8a215459fd4f303c8af456df1e258d1cf9
SHA256 79e136bac48689125ff3d9d0d134cd90b4889ea4673c9bacf10b4191b14017ec
SHA512 04f27ea1d2d5ea4564cda345b94fd062b76d6116b646ffcffe8a57aef34df9a8c8aad35dcda893fe812d416916b6bbb44c847cc910ae57989ffe20f88a9b4d95

memory/452-173-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B1X4J9lCc2S.bat

MD5 182d5021ac7a3fcf33c7107c47fcd329
SHA1 233d3cf96f9ff686c1713f7ee34b1a59c9484e65
SHA256 8ac1abf3e885ca348018942e715791dd6fd3fe893437a61432c0b0da76381d31
SHA512 74fbebda69cf77121e7d2d61cdb7e53b9a020518776cbb2d13c153df9ad7086a6755c40a31f8848fb825d81ef32476b6215d7a8a80375d31c82c67a5cfe1d3fc

memory/2420-177-0x000000001A7D0000-0x000000001A850000-memory.dmp

memory/2420-176-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2420-175-0x0000000001180000-0x00000000011EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 474428b77d0307911388f60df1eae277
SHA1 766a553043f96d7a64603c43b57907e13da101fa
SHA256 92bb8a56c3e6ddc7249cb3aecb48b5d86f95562f0adc8085af7aad121ee81228
SHA512 fb792826eff6fe8654e461c88d3fbe1aebcfca3c2af1ab2f2571171a8f9bc97ef6b07f9f15f1dccfce62c5fbcc0bef03a5889d4491b2bf881f1e7d8274f8655f

memory/2420-187-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rKrcwCTD9cUA.bat

MD5 43874bafc98932e1b51612e2ca7d3046
SHA1 c25c2997da4988f13e2dd58a39df61fbb55792bd
SHA256 856c9cd407d946353f15ca6f85b07d2ab83af02c27ed9d469bd920cc50d412b1
SHA512 df26300c8e2a260fc0178ad493ccd9d28801b04a6aa41961f761c7f0a203db4d388a4ae374e5228666e394c3d58ee363c6bd6f3e38f46b92da82890252e96ed9

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 2074c340598fc920d91be1da6f93530e
SHA1 32a0fd9e35e1cf8636d057fadb8da36a92e62415
SHA256 89d54f8b1bc623987d951354f710f90767ee1e9c3c414618a010eeb5ef913731
SHA512 14370a804b7e91fdb693234195151f8f607927169978d7329020f7d1a1e9714e8b27d74718e940c73d8127ea4560bf72d93485216dc014a78487ae7835bf7443

memory/2820-189-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/2820-190-0x0000000001100000-0x0000000001180000-memory.dmp

memory/2820-200-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wD6pHQ8wuhWk.bat

MD5 4e10a84d138238aed4ab3529c7ca6f77
SHA1 188ed5047b8ec46a0ce6cac14d28459e9fd4eb48
SHA256 872c791ba038939ed3213378a52fbb8d7da063f7d0888d364f5522583efcf34d
SHA512 99d80a1c2de47b13a2486e1f36158eee187f0537b31f55481c257c2cec19d2fa95885c42951460dc6afa29c117d0b0cbf55d9c74c5a0a540654b1f411a032291

memory/2476-203-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

memory/2476-204-0x0000000001210000-0x0000000001290000-memory.dmp

memory/2476-202-0x00000000012D0000-0x000000000133C000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 1b4897d67d70b78e9dc06dfb1eb8b599
SHA1 2335f4272bd14dc4922d3bec6727b121b6d8a0a0
SHA256 501cfda7db7e8b0d7b278b677af5dd4e8811a204fbec75199c9b2f34148b655d
SHA512 cd058fb2127354d623540de7bd6c52214c6463fe846ecd3d2e858391c8407a79dcbbfe4fca50fa084b9a60e0abe8bd31d63351fbb58da85525011ec21911d1c6

memory/2476-214-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lkl1RPCFHdtJ.bat

MD5 15293f7a2e588470c8e2d730869a090c
SHA1 c0aba93b93f49cc30927e3eafb86223d2f0c2382
SHA256 a3ae2af4a1ac39abf206aa2b3791e5e9b2d7f3e289c2d580af676da11a45a6cb
SHA512 ddec91a70049fed4089a73b62406c8c946dc6f57eed519c94acf0b775f9cb105b6df786f23ac6a564c8ac0a87b0a774c081f9124d8fb9d0c0e6e7fdecd4293d3

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 e44a7d922251a67d82d7faf3db62e780
SHA1 3766b0492b1d464530f06c2ad507401a3e221038
SHA256 806598219f6748f1512c6a8902d3b67cac533bebcd706bc6510748eeedb1dac6
SHA512 a124a1199bafca6220c327587383c3cd72d45316ab72dfd58085aa99085b54d9d02773de2cc76ea2188e914ba78b7566573399a813fda3e473b49ae476668538

memory/2772-216-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

memory/2772-217-0x000000001AF20000-0x000000001AFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n6VQwNXj9cAs.bat

MD5 d1f0c2f5ff624ff9223c00d9140b8dd3
SHA1 a3118a32dcbfecd3a98e99e8b44002f495a2716e
SHA256 1e4be50480719528e13b4577b1427989a5a3035db09f2c850d23e5bd73f548bd
SHA512 841204f4e52b320d376bd05df56fa70776931bebfb2a58b5b5292a68973ea11ce6f2c228b40d9eee3571ce7d722d9106e460dcb3981b44d2fa6d39d8acdd25a5

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 20:53

Reported

2023-12-30 03:23

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\directx\directx.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe

"C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe"

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\03b3994449556eb9937fb8baa0ffbffa.exe" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAu48vdKLYnJ.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sE8hKRsp3IYP.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LVyPVCk77NWq.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4PJb5cRc15XL.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0QTeqpnOy5bH.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6BFwVcr4SwFw.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqTaqXWpYKVU.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JTydaqoCWyox.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ubfuvxHEssUk.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzySlYhdPgLR.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0WEj6h1R9uvl.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CdmtmNyq6HlJ.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EstC8ugQ3G6N.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dhFKWjBHlOAE.bat" "

C:\Users\Admin\AppData\Roaming\directx\directx.exe

"C:\Users\Admin\AppData\Roaming\directx\directx.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\directx\directx.exe" /rl HIGHEST /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QZBfU9kAveWu.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 forthacks.hopto.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 forthacks.hopto.org udp

Files

memory/1248-0-0x0000000000100000-0x000000000016C000-memory.dmp

memory/1248-2-0x0000000000A10000-0x0000000000A20000-memory.dmp

memory/1248-1-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 ddf36ac759eb755a7bc5cf308d452e0c
SHA1 c14f52922af2d31b151124fbe16f81f12af4b824
SHA256 7faaeeff5ea7931e9138182fd3db049c7f45a0d8f536117dde970b2bb86e5622
SHA512 1df06eae9b90d98782c0347d57309d3e006fb35ac4d8478277a7266d767dfc504f55797238a37223852537561eb14e71e3daa95133cef70a16f1bd64fecea195

memory/4068-10-0x0000000002300000-0x0000000002310000-memory.dmp

memory/1248-9-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

memory/4068-8-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 fd72cc2209f89040f0ccf4c3852b85a8
SHA1 089df9f3ea9a05ed679c73bc47ad56e2eb8f933b
SHA256 e09449ccd4be7041a644724989b5a65a5672e9012002c24686f4c1ec19d281a3
SHA512 a56fee2a1319ae091663d65f89445a799e500741b38d3a7d788605c8c4209a987a5c9d39ded1cb33c712d367322286b69f87a2a44b968c575ed67f49ab93d38e

memory/4068-11-0x00000000022B0000-0x0000000002300000-memory.dmp

memory/4068-12-0x000000001B400000-0x000000001B4B2000-memory.dmp

memory/4068-18-0x00007FFB0D440000-0x00007FFB0DF01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JAu48vdKLYnJ.bat

MD5 770d332368f990504cd0a5497979d902
SHA1 34cc3635187c6730970c304b8c84585e76f3848a
SHA256 a0cf5d11908884f2e124bbdacd1a33907eff12a54b294ab05ef0e00ed047dad1
SHA512 a48642b4b1adcd2d4aea7d1fd77668a73a6368b8f578b5b7943ad758bbe6c6e94b55987b1db38b028f0ee92379a8531118a4dd48c94dac7fc85811a62c2bd42a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\directx.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/1604-22-0x0000000002980000-0x0000000002990000-memory.dmp

memory/1604-21-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 5bb7480b114dcca1114947d3310121d2
SHA1 ad04de31564fef2a95d0affabdfcda8b93115c85
SHA256 1aba2cc3c4a5eaa3fa8bc850515897c41015e7a265a16d1dce7bb6a0b8c12bf5
SHA512 835c4189acf144bda1889725c86f02ef968b4bac5c2d209c51ad03f21c18ffdcfb0e1584ec2daa47becd33a4248a0439881c63608d7a063af125604c1b45e965

C:\Users\Admin\AppData\Local\Temp\sE8hKRsp3IYP.bat

MD5 afa85934606fc42b3516598876271382
SHA1 677df11495e5b9f59852245674d380e9e621f756
SHA256 6ba87c1302c5e24e43702b58f2a76b26049d2d23b8f37e3d62cfd320be8117f6
SHA512 6bf7824a634207b2056fd1f7cd65985ec38b739216905bb40215db660063dc7fc16c3190d77df2f0954322815c47f6521184f06319c2887e142da5d730196318

memory/1604-27-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 5c4c695586558c44d53f07915c8f7d74
SHA1 2311fff3b543ddb3b2d1c5c1143600fc9026d7a5
SHA256 6e293cfa3eaf856646e43a8e2e56818fb684a2a92eeddb1d049263eb96680154
SHA512 daa6dc0305cf18d1b97f43d1a92522420e9e9e90a1b948c1cd11f4816eac7c45d8d703ba9634a5481989aefd2e709f19b89a6893fab8f6f58c946564a95fec6a

memory/4716-30-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/4716-29-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

memory/4716-35-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LVyPVCk77NWq.bat

MD5 b697a368c56dbc7ae6e9d5c570ecc616
SHA1 97e49d905158991b018809131215934623a20081
SHA256 ba04615cf1896963afbf760e0b013af8b9b4a5d1c31942542c4d8428377b96d0
SHA512 1e003d057016b525c6bba7f405158918fd3b49c54c6ae5f649de7f266469c9db725b748f11eb63a4759efb158760298b88ab09ce9817511ba1989736e79d5f35

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 1f4186175deea006a899d4c4019b53f7
SHA1 67672ea57b1d549ab8c70685cf7782d2b7720d74
SHA256 2166f553f3620ba794083e82fef8f3cc42711c730e9d5c5046a795967160c8ab
SHA512 af77d120c107f26edec89818eb9c9b897049233a8738d0766ebd2a1798c3b65c79ee62379af8609acaf62d879c8766f93230ce9a9fc30d5d5c6e11f7fb098914

memory/3176-38-0x000000001B4F0000-0x000000001B500000-memory.dmp

memory/3176-37-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

memory/3176-43-0x00007FFB0D110000-0x00007FFB0DBD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4PJb5cRc15XL.bat

MD5 986ff7056253ef6d3eb66e8ce528598e
SHA1 9fddc3ed8a4abcf28517c05b073b84630469e805
SHA256 f579e3258e23dc110924e14c6384e1515e26d12fc5a896cc45c1427a676b63f5
SHA512 3ec006401501ea2f007598355de17522a92fbd795344415cbde12e031403191960e386fcaffdffb131f4a1b1715dbe622fd95f81f151be08ce988d2c49ac72eb

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 cba047192b3c1fff06c58bd9b09892e4
SHA1 d30df78bf5a27a732594e6d4a731a42f97738014
SHA256 3b448f7e209cb0e4ca8113d57842d58a82f576c390ace9a5fca65fc8f4973b2c
SHA512 8a14f160284b427776df213128a47e36cc502fc98508a6165ec26e8f7a8284f3116bc0e79c0437926833217066c2dd43b82b1ba9bacd9b0c9ec4d929f62d0032

memory/3996-45-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

memory/3996-46-0x000000001BC90000-0x000000001BCA0000-memory.dmp

memory/3996-51-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0QTeqpnOy5bH.bat

MD5 df477eb9bc76d2925c75f8429918f2de
SHA1 1ac25ef755e840b26f0bef2849a0ece235380570
SHA256 336e44642304d4f202fe2eed86c7135fd0ce0162aece2d70fb1c1b42510c39a7
SHA512 d6a17b219c3fb19080030630d62743168da4ecf49a2ac507684fac709e6084800e12986dd13c96fc5470aa93eada3022f52dd63e0c24a36345f4af13e77ab0ac

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 720400a8710ea889d20fa2884d676f97
SHA1 67b9f1d42de39251d80558896e4b2338d237e9bb
SHA256 80c1ec1def8951f5aa73737de0e89f7aadc7755c2f0f8dad8bb42a3672d570f1
SHA512 d2a722520924f8bee2ef9a1c88ae7bb4748fca26274bc738c0002c01f7c3a28ba75da2ec223c757cf74f324431c8ae1b20b797e8f525e10b483456dc9de991f1

memory/3860-54-0x000000001BB00000-0x000000001BB10000-memory.dmp

memory/3860-53-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

memory/3860-59-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6BFwVcr4SwFw.bat

MD5 ddaacbec648d6e2894b3fb3753448c4a
SHA1 3d7418962022cd5c67ea15586b8856a84f40a32e
SHA256 fc7de24bbdbb05387d35dac81d508c0d6187f8c018668aa9716945c1a8e7cd19
SHA512 898cbb8f6dc5febc5279bf842e337d6cc15f980aade2d20b8b945b4502b36739f4bf875689e6822e708b891ca2a4d44a69ff0cc9123b88af4e5dd5fb481771e7

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 56f8b1d0a9b28d54efb13b1b484ee3f4
SHA1 e74ba733a237f0fbed1a2c144975dbfc3d319e47
SHA256 80f3cd725119ae6a1775c132783686777aa5064023f6cf113932cbc465e87fcc
SHA512 ea8e0f609523e4a96c99bc6a4d0b06574f9ef9e58a8d6266e8f0f802c078ded3da3907cf6d5b4b8ab22c4814611a66807915dae4b86dfbc41f29559020c8997d

memory/2944-62-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/2944-61-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

memory/2944-67-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CqTaqXWpYKVU.bat

MD5 26150f48dc930319cd0f192e0af15bca
SHA1 67f1ec6a4a3db82ca22de9e2e9254983e4460850
SHA256 9687bffed136e207cf238b976d5477b2d7a27734b10a9441b48315665ed0f919
SHA512 9497af814785a9f5f9c0cd121545d1c28c1b4d8f5af5b9f699b355b50930dacafff99e6611ec786ae4aee7eaa2c49703874fbd94ae775ce2c673e872ba0c40a6

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 8a6f1f6e5652f557627a7b1ef91d1286
SHA1 dd97e543dd80c0b30901226623242c769bbfbf71
SHA256 3521ca3170662e924c895daadf69aeb230c19a597f9c2b802da11303591fae06
SHA512 a575cb0971f5688c82ac713c5d0582bc83a06d1bbb09e2a95c7576008cffca817ab4ea358b5830fa036dd14f6b43b08e564d95c2eb323a88e378e07f867ef55d

memory/1520-69-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

memory/1520-70-0x000000001B990000-0x000000001B9A0000-memory.dmp

memory/1520-75-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JTydaqoCWyox.bat

MD5 08218782a2b9dcb14716160ff022b0e0
SHA1 6204ca96598d548d4a63e03894b942296507ecd3
SHA256 64bfc7e1623d0d040f4922022faddab35b1adc66facd9092bd6c722d70f166a1
SHA512 6fdb8adf682a5799c5bdaa90b2819ca52723c780d6a92ac292995647a6bd607ee798bcc7e638d335bd700fbd01779fdf675103be9d886004abc31e5db00162eb

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3112-77-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

memory/3112-78-0x000000001AF30000-0x000000001AF40000-memory.dmp

memory/3112-83-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ubfuvxHEssUk.bat

MD5 abc65d844aa0c0cd3f888e297eb0e76f
SHA1 ce1e852eb1aec31a4aa70ba850c833e8a68e041c
SHA256 2bab37c66f036bddb0566ff8fd1399e210dc2ddb39168f3fc59b2c414c388c0c
SHA512 76d16b84f22fb83292c11ed16ab09b6bcc7f97ee3f675c7358557cabc2af4acd2b347c8f7a0b884923d1fa6c9b470287469dd8d98746fe93a928dd0c544b137f

memory/1124-85-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 dac05037da8877d7512be14b91f84d69
SHA1 92f397ef5cd632575390ae58b84cbe391e0fd9e9
SHA256 ce9da36acb20b9569bba50be0fe71899efe3e440a63ad21ad9d8746bf1092f78
SHA512 0e2e5b55a4551c18bf10dfc6fcd39f6d7db290d0a70fbe68261b07e035af37c46a492d122e63514e7f77af4183ed362d73c69dfc7998e0ec325c3dba35f8a82f

memory/1124-90-0x00007FFB0C4B0000-0x00007FFB0CF71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yzySlYhdPgLR.bat

MD5 ee868b2778e63e369bf238dba5581adb
SHA1 3854b6a2b9d9ed84177bfe6e3d41cf2f1488dd3d
SHA256 36dc6b03b78f16363aaf86b1f8f810540940514f6ca6f41f4e1430b506905d60
SHA512 7d4d4df914029f6997d9b78258cd767ee076a2f1d2808f9934658dec29e0c830ea668281003f77a5948cc644c975566ad241f89628a354c1a7467bc5ea543220

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 6e0b87ae93a09e6e83d4efe3dc96c137
SHA1 7542a4834e8126f9417c818017f12c6858203979
SHA256 7ad11b56f11c79265fedce3952068d88ecc61bb24f45608be2890981f810da3c
SHA512 d67ce404ac95c7fb2789a067ef4919a086e22c2dfcf018274c3f47a8001615789320f4673b54faffe0c4c800a9dd0af119e832d04b29f5af3257993bc9b9b60f

memory/5000-92-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp

memory/5000-97-0x00007FFB0CD10000-0x00007FFB0D7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0WEj6h1R9uvl.bat

MD5 6f2fd646d28f58dc663c3dce900b2640
SHA1 c06ee845d0976c0c03029a7de274c8af4134c6f2
SHA256 c0e0086694cb792abd0835536b127100f9d9def8bcc4390943fb114fa550952d
SHA512 ec63c9c3902e67a3042f715a5b81ad3c2e713c28f9b2614188e6306877bb1ac79f78992c820d082f14dcb7b914c29d5551b8aec4e3739f796e4e9a2c3e516407

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 d006864b0a7b34e31b4272a095a6b1bb
SHA1 4feda322be57c5433d7938f5f4ba4bfa2b28deb3
SHA256 3cdb0159558976e456f63c9a36c18cb3c863dec010c42ce4351d92ef014106fc
SHA512 60b701f4bf34e37cda09202b5829e92db6867bd98e54a3f80e00f72bba04f9305bfd6041ea40fceadae1256fca7a49b9f70a8290083e5963c974e7fa3d73ea87

memory/4556-99-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

memory/4556-100-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

memory/4556-105-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CdmtmNyq6HlJ.bat

MD5 44ba43ce493f5c6919ef4edf7b74164d
SHA1 a9efd8b8ac802eb0fa2d06bade7e30ffea223b31
SHA256 4ab84dd9793028c8ed0e90b7560b1b4c6c5a45916b930896a71ebb7e485c52fe
SHA512 ffe49b45cca07f8565c0a3d257331f81fbdbf62adfa9b89c0b13efd042ac0ec2596df566083b58f75b4bc4335f8226a8849ba6e2f0e3796793c5cb4490477177

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 392eed999115fb3a71d4be5cbe0f2bd5
SHA1 fc4af2380091c8c6e34cc9dc16a4702aa89611c5
SHA256 f2910061dea6618219f3dc03b83400ad151f7b23fcda27f2bd90494ceb15e3d2
SHA512 e8716ad4174f1f5b65d04a29e1904078764c4a8c4fb9e76658a39cca23be15f86fdd528469a72ae817885c6e8c4fc1acc7ebdd1fff0ca1e851f7e860334d3a04

memory/2420-108-0x000000001B630000-0x000000001B640000-memory.dmp

memory/2420-107-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

memory/2420-113-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EstC8ugQ3G6N.bat

MD5 05a225909f3ff315bbff048295a004e6
SHA1 22fc3358a4c0395c92f81c06d7a747823103716b
SHA256 83f81056a9feb6fb4a8f34c5cc5e1a163a4782812198b40e47987c3cf7a5cc5d
SHA512 06ba9b0207965c6a69eeac5e7629e1935875b46382ff55695525334b03d9500a919458160033b60c9550a51798ac1b142de99ac6d120a446429f616900db8eee

C:\Users\Admin\AppData\Roaming\directx\directx.exe

MD5 07a9617e77c5ad8edc85305b565ad913
SHA1 73c793c7626967f12cc2917bbf53cc55babd81e1
SHA256 64ddc7b2e5a3353f6de51b45397b7071e351dfa1e9a737fce977ffc119cad6cf
SHA512 1cfee9e83dc2cb70a54d4e2bd8bda7654c89e2b87edcbe0fe7a2ff5a02b7400ee3dcd3859667dbdddb2199748a6368e30e8bdf1ce450d352c5a9932e321e5590

memory/2040-115-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

memory/2040-116-0x000000001BA80000-0x000000001BA90000-memory.dmp

memory/2040-121-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dhFKWjBHlOAE.bat

MD5 541183da3df393c5f7189f0330734ba6
SHA1 b9b137ef8bc8a7ff784510b42cdfb92b08ec6996
SHA256 0327d7a9484bdae64f947307f4e384ad1f367f77e2e5d238cbde6e6b5e8d8852
SHA512 a00c68f31db406dcd10ddc52346013fee6274f0e3b00f1848e186c96f4035764631db3ba9421b351d20509fe4325a63ede2a942c609129e0d9db0e26f4cd430c

memory/1508-124-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

memory/1508-123-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

memory/1508-129-0x00007FFB0CBC0000-0x00007FFB0D681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QZBfU9kAveWu.bat

MD5 673f5f5cdded3541670d6599d128e777
SHA1 7b798ff5a4c9200e84e27557bf0369b0b67fdfac
SHA256 e15c46c935d2c2ca910a678b518f050d36ac148ae5df7af286df8a1db17b2474
SHA512 1cb9bb98d3d4b58a54f4bd3f88c5a61ea8db90c16a34cafc966b2bdacc2ed9d7ef0e86216470bf0abf8fce42e9cd4f9080590ee996672c35bbf01a7e34e62c9c