Malware Analysis Report

2025-01-18 04:32

Sample ID 231230-2ppr3agfh4
Target 1ee04769dbc6bd6c1d9bb696c846840a
SHA256 b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
Tags
quasar redline sectoprat office04 evasion infostealer persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed

Threat Level: Known bad

The file 1ee04769dbc6bd6c1d9bb696c846840a was found to be: Known bad.

Malicious Activity Summary

quasar redline sectoprat office04 evasion infostealer persistence rat spyware trojan

Contains code to disable Windows Defender

Quasar payload

SectopRAT

RedLine payload

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

RedLine

Quasar RAT

Beds Protector Packer

Checks computer location settings

Executes dropped EXE

Windows security modification

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 22:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 22:45

Reported

2024-01-04 18:06

Platform

win7-20231215-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysWOW64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\xsvchost.exe\"" C:\Users\Admin\AppData\Local\Temp\xsvchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysWOW64 = "\"C:\\Windows\\SysWOW64\\Startup\\svchost.exe\"" C:\Windows\SysWOW64\Startup\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Startup\svchost.exe C:\Windows\SysWOW64\Startup\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Startup C:\Windows\SysWOW64\Startup\svchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Startup\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Startup\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2636 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2572 wrote to memory of 528 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2572 wrote to memory of 528 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2572 wrote to memory of 528 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2572 wrote to memory of 528 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2804 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe
PID 2804 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe
PID 2804 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe
PID 528 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 528 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 528 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 528 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 1076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xDW.exe
PID 1076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xDW.exe
PID 1076 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xDW.exe
PID 1076 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1076 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1076 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1076 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1076 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1076 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1076 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1076 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1616 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\xDW.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\xDW.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1616 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\xDW.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe C:\Windows\SysWOW64\WerFault.exe
PID 2316 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe C:\Windows\SysWOW64\WerFault.exe
PID 2316 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe C:\Windows\SysWOW64\WerFault.exe
PID 2316 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe C:\Windows\SysWOW64\WerFault.exe
PID 616 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\Startup\svchost.exe
PID 616 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\Startup\svchost.exe
PID 616 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\Startup\svchost.exe
PID 616 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe C:\Windows\SysWOW64\Startup\svchost.exe
PID 1308 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Startup\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Startup\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Startup\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1308 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Startup\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe

"C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe

"C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe"

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe

"C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe"

C:\Users\Admin\AppData\Local\Temp\xsvchost.exe

"C:\Users\Admin\AppData\Local\Temp\xsvchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

"C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 644

C:\Users\Admin\AppData\Local\Temp\xDW.exe

"C:\Users\Admin\AppData\Local\Temp\xDW.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SysWOW64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\xsvchost.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\Startup\svchost.exe

"C:\Windows\SysWOW64\Startup\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SysWOW64" /sc ONLOGON /tr "C:\Windows\SysWOW64\Startup\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp
US 208.95.112.1:80 ip-api.com tcp
FI 65.21.62.31:49227 tcp
US 8.8.8.8:53 shadhk.duckdns.org udp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp
FR 141.255.146.237:4782 shadhk.duckdns.org tcp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.179.238:443 docs.google.com tcp
FR 141.255.146.237:4782 shadhk.duckdns.org tcp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp
FR 141.255.146.237:4782 shadhk.duckdns.org tcp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp
FI 65.21.62.31:49227 tcp

Files

memory/2636-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe

MD5 2de5e54d4624739b2f5d901cd860cafa
SHA1 2c5001e82e71b8fe8f35dcd72960f2266671a373
SHA256 e8fd8c0bf8fbb200adb70d2d5334508973f921df7c5073f68b504f5720bc8b61
SHA512 aa2960616713bbafa715198407cd4ed2e14b972ac2965997a68855bd73f6e010978f2b12841f56d9979d0a7ad0ddb82eab7a9bd3e6906d13ff0e3f91378e027d

C:\ProgramData\Synaptics\Synaptics.exe

MD5 1ee04769dbc6bd6c1d9bb696c846840a
SHA1 ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
SHA256 b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
SHA512 882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0

memory/2636-17-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2636-19-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2636-29-0x0000000000400000-0x000000000050B000-memory.dmp

memory/528-40-0x0000000000320000-0x0000000000370000-memory.dmp

memory/2804-39-0x00000000010D0000-0x0000000001120000-memory.dmp

memory/2804-41-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/528-42-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2572-43-0x0000000000220000-0x0000000000221000-memory.dmp

memory/528-44-0x0000000002140000-0x00000000021C0000-memory.dmp

memory/2804-45-0x000000001B250000-0x000000001B2D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe

MD5 0a56e20c58b88065dc63cf74e60eeb2b
SHA1 71cea7e0a64b8d37b93a52c405f9709ae1b89c45
SHA256 5bb3ecc855b8f2c78ee693b89aa6da9f61a89cdcca7ca1ae744dd32b5d8f0269
SHA512 c11044511dc3f7bd3c71953a297fc23fba22b7d42fa5f93af0d46bb8755793c52499c5831b77beb7858ea6bc05ea425acbd19aefcf1f8c6c3c918ca9195fe40a

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe

MD5 ad475f2552ea64ec3908548c88a19f56
SHA1 510be7f49ae1c3228e132e2a99edbe86df7e4a5a
SHA256 4051789f81b5f83ff9e5a5b2fd0521e6fc49b620a14b6c0b962e33f199091f1a
SHA512 b239bc406056a38013992d4e7bfd31b4802370512bb95b8eb88a236c92ec3235787631fa05309c0ce39cd89958ac7cee0c9fc34298f74680d2e80d60c6765e12

memory/1076-58-0x0000000000830000-0x000000000087E000-memory.dmp

memory/528-61-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/1076-60-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2804-62-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/1076-65-0x000000001B2B0000-0x000000001B330000-memory.dmp

memory/816-64-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/816-63-0x00000000011F0000-0x000000000120C000-memory.dmp

memory/2572-66-0x0000000000400000-0x000000000050B000-memory.dmp

memory/816-67-0x00000000046A0000-0x00000000046E0000-memory.dmp

memory/616-85-0x00000000011D0000-0x00000000011FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xsvchost.exe

MD5 299ffbe2f18b877cb8529664a00ab2a8
SHA1 88912ad64894b4ce2a5753ae2c24177e27d2593f
SHA256 afa5d43e3a3000b03024114e1aa976eebad30557110f0d01fa6c1b228d84e79f
SHA512 7bb448ad9061f9a3b7dbaf27d4ea30151ba3713454d85d10e7eb9456fabf6c5f53e5680f218f702af13bf1b995092465fbfb0e97921889166868deaa3b83379d

C:\Users\Admin\AppData\Local\Temp\xsvchost.exe

MD5 a024c60c5f2181f31e5e8338b5827d9e
SHA1 b680cac768d26e6496b56848fae393d6f284b5e7
SHA256 c3860da5abb586bb75996721077f7193fbe3cc4ad7330297f7352ae9477f4091
SHA512 a2ba2b003fd293b12125c5cef13426ded5d772935ee5cbf499dc95c15fd42cc8e25c00f36894ac7dc437838dcac71f02e1bb606870a7711ba570f5a184ad0de6

C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

MD5 d0cea60317b7935a1d381a3605604004
SHA1 8c33f5d7bbcba3071ee8973f13250b80bd6a6e99
SHA256 9f36696f543d8fd8201f116055ea04e3c4994aeefd66866a8f19303bf85b5417
SHA512 50d23122970317f760ab68844a88eb8fe58e63378bee468cd6e220cabb76b46f84f58a1b56788991a880c8056757493cbe896e21850a4d3b05c6bd8629b4e6da

C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

MD5 c786287cb6fcabd7fa55e5dc2352cd4e
SHA1 dcb99d41e7f5ea7269ff737cadebece8dbe44cf1
SHA256 4e09f9733315a797e9f2d03bef881b1e2f2ad79b7e3fcbba9a4ec0fc7ca0e759
SHA512 284c879228bc47c0ffadd2c6e7ee54e207fb38d7762da5c5de27e49d9d73972c6ebd4e1a67cdbf5da1412240b7b33d08b589793bce3b2d569bbda2acfde83ab0

memory/616-94-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/2956-96-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2956-100-0x00000000025D0000-0x00000000025D8000-memory.dmp

memory/2316-99-0x0000000000340000-0x000000000035C000-memory.dmp

memory/616-98-0x00000000003D0000-0x0000000000416000-memory.dmp

memory/2316-101-0x0000000000370000-0x0000000000376000-memory.dmp

memory/2956-97-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/2316-95-0x0000000000E60000-0x0000000000E78000-memory.dmp

memory/1076-89-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/1616-88-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2956-102-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

memory/2956-105-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2316-107-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/616-106-0x0000000001180000-0x00000000011C0000-memory.dmp

memory/2956-108-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

MD5 9bc8223d677854e974b7902f67eca886
SHA1 8dee163c16ad23e1fb5705155e6b43b8a31013de
SHA256 70fbb01207eae87cda12a2358d41ca0733559aec2ddfc7602a769c14b682a2f2
SHA512 7237c8df4ec605680009c0b32bffefd475f7acda450f47fc07751892db336d4b1b135192678ecbecdf30894fde11235ef4e4c0f71ac6cf7ff8b99e910118bf79

memory/1616-115-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2956-110-0x000007FEED870000-0x000007FEEE20D000-memory.dmp

memory/2956-109-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2316-104-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2956-103-0x0000000002400000-0x0000000002480000-memory.dmp

memory/1616-75-0x0000000000900000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xDW.exe

MD5 7651ddf221f0aa01c7ed17382759a130
SHA1 b87c0bd4c7b0d88154c76725360168661f7a03a5
SHA256 1c5d88fbc24897d6c30a0b3eeecae575e4cdb319f572ccfececd5c44d9aa5f5f
SHA512 8e1f33a759fc9ebf090505300690b04f17024cdac7979a1512f1f71addb1593f604a57d8bfe6f39ab35325fa51058d4424619aed7dbff3a23d294239904ce963

\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

MD5 ffc0d7e294a7318d589848b5082dbc1f
SHA1 68f941f3817b9365a507315a1813f1740a1e9a5f
SHA256 8633f754e17baeb7854a59dcb7e345ac202529bb8f9ccbbe380c8b3706b89fc8
SHA512 6883407cdb111720b887aff832c1c6ef8cb7448133577d4242bbd4d79e4dd056768187bf9fdad8bc4a6373388404f32c2e6e475ddcf0aa74fad91805781a038e

memory/2572-117-0x0000000000400000-0x000000000050B000-memory.dmp

memory/816-118-0x0000000073470000-0x0000000073B5E000-memory.dmp

C:\Windows\SysWOW64\Startup\svchost.exe

MD5 e35cf54b408f4b72f7a7aa6f6d166421
SHA1 1f8c9d33675cbbafa741a1e395e27122b30eed0d
SHA256 91d5b742662f380a5cfd41e489640114ef81adb9a9e7af7c4a80db9bfd922c74
SHA512 3c1b7ac8bc18295276e9ddbe28a0522c70903ec42064bb7aa824ece97b5055573bd3d46181d25f146431e715928f508324a434be082493a997f581f5ceb5f467

\Windows\SysWOW64\Startup\svchost.exe

MD5 bab3edc1c5201b686417a707e1b773ea
SHA1 9fc4281d9bee12b0a10f12f5e1a85362dd091e16
SHA256 5fadd0e7699ea1b6555b61663e9aec50cb96bdff91a2f33b7ff5d630b2a0b2ba
SHA512 394e83845d5b6ab2071f12c925e988ffad9d4f588fdf0c5a251c09d8cc6a4ffe92238d0c55deb535903a1ca8199e5b64bc652d956bd60c46ef9f0737c9df8f09

memory/1308-126-0x00000000008B0000-0x00000000008DA000-memory.dmp

C:\Windows\SysWOW64\Startup\svchost.exe

MD5 23986c455440dd74dce9e30a5270f184
SHA1 20f445c1f4f134adcd45b54cee514db9e6af2400
SHA256 a53a0d9979a4731fc13014f0779cbda9fec4454590e3b1fba731b1b43cd4bcd4
SHA512 1c66f51063ac5fa1a4b2cbd0a116820a89123b6e1a48d0d4e76e232dfcb76157cf15ac9809007041b48de00e447810602663be7844210f3e1482974b1e0b07a8

C:\Windows\SysWOW64\Startup\svchost.exe

MD5 1e96a6b57d77f6ed1c0799a61c247c5a
SHA1 b8e438f70dc776287b53b400f03a278118ae0498
SHA256 29ee6d3cf571eb99fb43986fb94d84516a93f93e409806c62bb53b2cef5ddcdf
SHA512 91c98ddc394b53ff23b020741f884e33288c17e6b4c27a4c5ad315fc042e8216c2b3918afcea91429514946ce13f4ab7e7dca5d71862363509de2197d49d61bb

memory/1308-127-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/816-129-0x00000000046A0000-0x00000000046E0000-memory.dmp

memory/616-130-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/2316-131-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1308-134-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/1308-136-0x00000000047E0000-0x0000000004820000-memory.dmp

memory/2572-139-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2572-164-0x0000000000400000-0x000000000050B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 22:45

Reported

2024-01-04 18:05

Platform

win10v2004-20231215-en

Max time kernel

168s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Beds Protector Packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\xDW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xsvchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2468 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe
PID 2468 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2468 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2468 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1412 wrote to memory of 1116 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1412 wrote to memory of 1116 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 848 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe
PID 848 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe
PID 848 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 848 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 848 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 1116 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 1116 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 1116 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe
PID 1036 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xDW.exe
PID 1036 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xDW.exe
PID 1036 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1036 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1036 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xsvchost.exe
PID 1036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 1036 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe
PID 2548 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\xDW.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\xDW.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe

"C:\Users\Admin\AppData\Local\Temp\1ee04769dbc6bd6c1d9bb696c846840a.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe

"C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe"

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe

"C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe"

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe

"C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe"

C:\Users\Admin\AppData\Local\Temp\xDW.exe

"C:\Users\Admin\AppData\Local\Temp\xDW.exe"

C:\Users\Admin\AppData\Local\Temp\xsvchost.exe

"C:\Users\Admin\AppData\Local\Temp\xsvchost.exe"

C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

"C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.179.238:443 docs.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.179.238:443 docs.google.com tcp

Files

memory/2468-0-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2468-1-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2468-4-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2468-5-0x0000000000700000-0x0000000000701000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_1ee04769dbc6bd6c1d9bb696c846840a.exe

MD5 2de5e54d4624739b2f5d901cd860cafa
SHA1 2c5001e82e71b8fe8f35dcd72960f2266671a373
SHA256 e8fd8c0bf8fbb200adb70d2d5334508973f921df7c5073f68b504f5720bc8b61
SHA512 aa2960616713bbafa715198407cd4ed2e14b972ac2965997a68855bd73f6e010978f2b12841f56d9979d0a7ad0ddb82eab7a9bd3e6906d13ff0e3f91378e027d

memory/848-68-0x0000000000DD0000-0x0000000000E20000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 1ee04769dbc6bd6c1d9bb696c846840a
SHA1 ddb700fccdbc70c2decc3d89e046a7ea23ee47b5
SHA256 b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
SHA512 882622d528028fb9b572ca27d898df41cc29582b1e2e689ba74491d5e43291bb00acd49e079302237f7be5f54d392d784c1228d736e7de8a08d805d65b75fda0

memory/848-144-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/1412-175-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2468-188-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1116-199-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/848-200-0x000000001BD00000-0x000000001BD10000-memory.dmp

memory/1412-205-0x0000000000400000-0x000000000050B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fortnite checker.exe

MD5 0a56e20c58b88065dc63cf74e60eeb2b
SHA1 71cea7e0a64b8d37b93a52c405f9709ae1b89c45
SHA256 5bb3ecc855b8f2c78ee693b89aa6da9f61a89cdcca7ca1ae744dd32b5d8f0269
SHA512 c11044511dc3f7bd3c71953a297fc23fba22b7d42fa5f93af0d46bb8755793c52499c5831b77beb7858ea6bc05ea425acbd19aefcf1f8c6c3c918ca9195fe40a

memory/1036-218-0x0000000000660000-0x00000000006AE000-memory.dmp

memory/1036-219-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.exe

MD5 ad475f2552ea64ec3908548c88a19f56
SHA1 510be7f49ae1c3228e132e2a99edbe86df7e4a5a
SHA256 4051789f81b5f83ff9e5a5b2fd0521e6fc49b620a14b6c0b962e33f199091f1a
SHA512 b239bc406056a38013992d4e7bfd31b4802370512bb95b8eb88a236c92ec3235787631fa05309c0ce39cd89958ac7cee0c9fc34298f74680d2e80d60c6765e12

memory/848-231-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/1116-242-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/1036-244-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

memory/1412-245-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1412-246-0x0000000000400000-0x000000000050B000-memory.dmp

memory/4048-247-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/4236-248-0x0000000072DA0000-0x0000000073550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xDW.exe

MD5 7651ddf221f0aa01c7ed17382759a130
SHA1 b87c0bd4c7b0d88154c76725360168661f7a03a5
SHA256 1c5d88fbc24897d6c30a0b3eeecae575e4cdb319f572ccfececd5c44d9aa5f5f
SHA512 8e1f33a759fc9ebf090505300690b04f17024cdac7979a1512f1f71addb1593f604a57d8bfe6f39ab35325fa51058d4424619aed7dbff3a23d294239904ce963

memory/2548-263-0x00000000000C0000-0x00000000000C8000-memory.dmp

memory/2548-264-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xsvchost.exe

MD5 299ffbe2f18b877cb8529664a00ab2a8
SHA1 88912ad64894b4ce2a5753ae2c24177e27d2593f
SHA256 afa5d43e3a3000b03024114e1aa976eebad30557110f0d01fa6c1b228d84e79f
SHA512 7bb448ad9061f9a3b7dbaf27d4ea30151ba3713454d85d10e7eb9456fabf6c5f53e5680f218f702af13bf1b995092465fbfb0e97921889166868deaa3b83379d

C:\Users\Admin\AppData\Local\Temp\xkrackingartists.exe

MD5 d0cea60317b7935a1d381a3605604004
SHA1 8c33f5d7bbcba3071ee8973f13250b80bd6a6e99
SHA256 9f36696f543d8fd8201f116055ea04e3c4994aeefd66866a8f19303bf85b5417
SHA512 50d23122970317f760ab68844a88eb8fe58e63378bee468cd6e220cabb76b46f84f58a1b56788991a880c8056757493cbe896e21850a4d3b05c6bd8629b4e6da

memory/4680-282-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/2632-284-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/2632-285-0x000001DAE3CF0000-0x000001DAE3D00000-memory.dmp

memory/2632-286-0x000001DAE3CF0000-0x000001DAE3D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwbrs5ql.4f5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2632-297-0x000001DAE3D00000-0x000001DAE3D22000-memory.dmp

memory/1036-299-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/4992-300-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/1036-301-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

memory/1036-303-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/4992-304-0x0000000000D10000-0x0000000000D28000-memory.dmp

memory/4680-306-0x0000000000670000-0x000000000069A000-memory.dmp

memory/4236-305-0x00000000000A0000-0x00000000000BC000-memory.dmp

memory/2632-307-0x000001DAE3CF0000-0x000001DAE3D00000-memory.dmp

memory/2632-310-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/2548-312-0x00007FFCA6E40000-0x00007FFCA7901000-memory.dmp

memory/4680-314-0x0000000004E80000-0x0000000004EC6000-memory.dmp

memory/4992-313-0x00000000030D0000-0x00000000030EC000-memory.dmp

memory/4048-315-0x00000000054E0000-0x0000000005AF8000-memory.dmp

memory/4048-317-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/4236-318-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/4236-319-0x0000000004A60000-0x0000000004A72000-memory.dmp

memory/4992-320-0x0000000003100000-0x0000000003106000-memory.dmp

memory/4680-321-0x0000000007A70000-0x0000000008014000-memory.dmp

memory/4680-322-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/4992-323-0x0000000003130000-0x0000000003140000-memory.dmp

memory/4992-324-0x000000000E320000-0x000000000E3B2000-memory.dmp

memory/4236-325-0x0000000004AC0000-0x0000000004AFC000-memory.dmp

memory/4680-326-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4992-328-0x0000000072DA0000-0x0000000073550000-memory.dmp

memory/4680-329-0x0000000005090000-0x00000000050F6000-memory.dmp

memory/4048-333-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/4236-332-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/4992-334-0x0000000003130000-0x0000000003140000-memory.dmp

memory/4048-335-0x00000000051E0000-0x000000000522C000-memory.dmp

memory/1412-336-0x0000000000400000-0x000000000050B000-memory.dmp

memory/4680-337-0x0000000005130000-0x0000000005140000-memory.dmp