Analysis Overview
SHA256
76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7
Threat Level: Known bad
The file 76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Quasar family
Quasar RAT
Quasar payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Maps connected drives based on registry
Looks up external IP address via web service
Enumerates connected drives
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 09:49
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 09:49
Reported
2024-06-26 09:52
Platform
win7-20240220-en
Max time kernel
4s
Max time network
35s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vnc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vnc.exe |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 180
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\system32\taskeng.exe
taskeng.exe {5A641D47-24B9-41D6-A3F0-603BD4D66156} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 160
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp |
Files
\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/1728-29-0x0000000000C00000-0x0000000000C01000-memory.dmp
memory/2748-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2748-42-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2748-32-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2748-30-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2580-46-0x0000000000020000-0x000000000007E000-memory.dmp
memory/2708-60-0x0000000000310000-0x000000000036E000-memory.dmp
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 16298c6cfb7e4053e025246b900484e1 |
| SHA1 | 52c77efd71b0f05f464f291a93b835f39e050b24 |
| SHA256 | 42e35ee1635566223e44d6c63a88b97b0d010336445815bbe222ec52e3c810b7 |
| SHA512 | 9648a29d229b6008f092963d42445d6dae58ea272a8413616feb7b28faf64c71ee025d919048d69dce420db05016b48a33d62e8ed923d8360e6b43b4b43730e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 09:49
Reported
2024-06-26 09:52
Platform
win10v2004-20240226-en
Max time kernel
23s
Max time network
161s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4752 set thread context of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe |
| PID 2888 set thread context of 4236 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76809efb52fd53d3f2393e875b759cc2769b49bef7192cee05c9c97994b90bc7_NeikiAnalytics.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 2316
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jb50gGOnO8aO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 2292
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/4752-18-0x0000000003580000-0x0000000003581000-memory.dmp
memory/4772-27-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4772-19-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4236-31-0x0000000000860000-0x00000000008FC000-memory.dmp
memory/4236-30-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4236-32-0x0000000000860000-0x00000000008FC000-memory.dmp
memory/4236-36-0x0000000000860000-0x00000000008FC000-memory.dmp
memory/3012-39-0x00000000000F0000-0x000000000014E000-memory.dmp
memory/3012-40-0x00000000050D0000-0x0000000005674000-memory.dmp
memory/3012-41-0x0000000004BC0000-0x0000000004C52000-memory.dmp
memory/3012-42-0x0000000004DC0000-0x0000000004E26000-memory.dmp
memory/3012-43-0x0000000005980000-0x0000000005992000-memory.dmp
memory/3012-44-0x0000000005DC0000-0x0000000005DFC000-memory.dmp
memory/2532-52-0x0000000006FB0000-0x0000000006FBA000-memory.dmp
memory/4236-53-0x0000000000860000-0x00000000008FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat
| MD5 | 64872641c898d4efda41e674cb72e9d5 |
| SHA1 | f91ac0cb8a30e502c6c8ca71cadb38e547015790 |
| SHA256 | 22900321e571420bf33fc3b2c472ac9c51018a14d80724c26e3d61f53a437665 |
| SHA512 | 99f3ba6d6c8a978f33779d23cfa777ba9bf1fb99650b47998b650556082c2ae75a9222a661d7f1b5768aee0224b51385a99f938e89e49d0838c4dfcbca38f98b |
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 46c22df46f88857d091037b918e77ec5 |
| SHA1 | a286034e1475edf50bff960da37f7beb77193f22 |
| SHA256 | 636d88db08fd4d89030f82c81db04e7cd45c55899d70398690891d662f40ac89 |
| SHA512 | 82fcca64ed8260c1b608267b18d408f9143bf6c2caf4aec08c1f3fb4dea86012da147301061f48a00468ebf680abf64e2a62b4e341bafe2717c323f609840697 |
memory/3524-81-0x0000000000570000-0x000000000060C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
memory/3524-86-0x0000000000570000-0x000000000060C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winsock.exe.log
| MD5 | 5de8527438c860bfa3140dc420a03e52 |
| SHA1 | 235af682986b3292f20d8d71a8671353f5d6e16d |
| SHA256 | d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92 |
| SHA512 | 77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8 |
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024
| MD5 | 151a66dcd9f039697fe93793dc90d6f9 |
| SHA1 | c5fa465376d096f030504f7ce8196be878bb3331 |
| SHA256 | c57a1c84d54085d67bda568b72a5b79b19a96d38f8cd03877db4a95d8753bfc6 |
| SHA512 | ff553547da233fadadaaee27d44ce9dc54436a1b430fee9319718197e816c9fec96db988a9f224a5096a02de17085bee78a397d6ea139f306c55837bc3fbeb76 |
C:\Users\Admin\AppData\Local\Temp\jb50gGOnO8aO.bat
| MD5 | 23411918b04044cb88ef0c0079188b97 |
| SHA1 | b9f377ca5a398aaba16bfdc02d7df9583389d717 |
| SHA256 | 58c1cc35bcf47f9ef7e16b488bffc75af3562690bee83b636db86a29a6b6120a |
| SHA512 | c8acfac6cadde26b403a18edeb14b59fc0654be3114185f9e11eeb80815b896064245693f931b24b75307e1664467903af9b90d5530e87bb20e6bbf9ba1a5d0e |
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024
| MD5 | 86ad26d29e9a7d911d5d494dab481eaf |
| SHA1 | fdd1643d84b254bc06d0b0a942535e6c53564c9c |
| SHA256 | fd6b4139542679d2ff4d017798acc84badf953e951d8e471ad28b309289285f5 |
| SHA512 | 7585c6e659e01ad167a0829f570efcfc8a9e1046d382dc3409034914c25da09668465129187ebc58e6a3d8058a16287eab6aa4f0937101d4283ab56bd687459d |