Analysis Overview
SHA256
68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d
Threat Level: Known bad
The file 68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Azorult
Quasar family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 23:13
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 23:13
Reported
2024-09-01 23:15
Platform
win7-20240705-en
Max time kernel
4s
Max time network
142s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2864 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe |
| PID 2560 set thread context of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe
"C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe
"C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp |
Files
\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/2180-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2180-43-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2864-30-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2180-33-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/2180-31-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1948-46-0x00000000012F0000-0x000000000134E000-memory.dmp
memory/2956-49-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp
memory/2956-47-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2956-50-0x00000000003D0000-0x000000000046C000-memory.dmp
memory/2956-54-0x00000000003D0000-0x000000000046C000-memory.dmp
memory/2376-62-0x00000000001E0000-0x000000000023E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 23:13
Reported
2024-09-01 23:15
Platform
win10v2004-20240802-en
Max time kernel
5s
Max time network
122s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3736 set thread context of 4236 | N/A | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe
"C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe
"C:\Users\Admin\AppData\Local\Temp\68c582be9711e05c5762d2fd7ee069519dc527b104f001c3e6962a9d4003097d.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 548
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIucsTGfrfi5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2536 -ip 2536
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 2272
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4672 -ip 4672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 520
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZdX9iEjqMN7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 2000
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 44.221.84.105:8000 | 0x21.in | tcp |
| US | 8.8.8.8:53 | sockartek.icu | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/3736-19-0x0000000003E30000-0x0000000003E31000-memory.dmp
memory/4236-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2672-29-0x0000000072ECE000-0x0000000072ECF000-memory.dmp
memory/4236-28-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2672-30-0x0000000000EE0000-0x0000000000F3E000-memory.dmp
memory/2672-33-0x0000000005F20000-0x00000000064C4000-memory.dmp
memory/2672-34-0x0000000005A10000-0x0000000005AA2000-memory.dmp
memory/2672-35-0x0000000005AB0000-0x0000000005B16000-memory.dmp
memory/2672-36-0x0000000005EA0000-0x0000000005EB2000-memory.dmp
memory/2672-37-0x0000000006B90000-0x0000000006BCC000-memory.dmp
memory/2536-45-0x0000000006880000-0x000000000688A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wIucsTGfrfi5.bat
| MD5 | dbac3248f010e6510dbedf769a18436a |
| SHA1 | 667148d951a1786c837257723fab74f384945af7 |
| SHA256 | 0e69e525bafceeb3dd7584a77e1e81d6a255b7bb4015321349535b07f36593cd |
| SHA512 | 3cb304e8bd1d6ca10fd0ebe100852d9bb5269a136036c64b7e9d5a61be2dd9b5ade6fbc0918092af66b2e9b0735b6c97f1180e68dcf397c015583d88f1f91474 |
C:\Users\Admin\AppData\Roaming\Logs\09-01-2024
| MD5 | 7a9352b4713c648900eb4caaa5a9f5fc |
| SHA1 | 90549eed7440d94a4c50a280e33305c9cff69899 |
| SHA256 | 3a791d12833edcfb03d1cca388f6ae9150440759c3b7d3bf3a92bd5ff65dc6d4 |
| SHA512 | b31b01f0aec7276d440a534097cf74e2812bc89c97094b592837a09ae3d3b4349586a3ed6bc22bc8f0ddbdfa68d662a4971ee39cdcaf447a6c0b65d3cf21530d |
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | c1bbce4d8536383164b267965af5df13 |
| SHA1 | 645bff567967375f13bd8e4b865a2056b1e66271 |
| SHA256 | 6fabc5716bcbe8cee30a51c84766ac6a0d55ec4d2947f000e815d578ad09b63d |
| SHA512 | 560f87e7c5753891a205dbf0da0682e723b903e00b084fde371430f2be25e3e8b5f24f5e9d61e6c2e815068ee290228f3d751ec04fcf7ae3ba4ff6d58564a4ab |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
C:\Users\Admin\AppData\Local\Temp\hZdX9iEjqMN7.bat
| MD5 | 358b989083f7f6eb59b11cdd4ea0582c |
| SHA1 | 1fc75760903b9074b448e27219c225585bcc1c0f |
| SHA256 | 96c95510afea63860549054471b7c8952719459cfedc2786c455f07cfb47e83c |
| SHA512 | c1ea0e46cc78e99bcbd85852608045303b558e9c0d5a268a47103a162da5042430ad9b9c644da5e460283e3426d9a3169797dc22670eaa44262f9eebf974a21c |