Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 06:30

General

  • Target

    built.exe

  • Size

    3.1MB

  • MD5

    a813f565b05ee9df7e5db8dbbcc0fa43

  • SHA1

    f508e738705163233b29ba54f4cb5ec4583d8df1

  • SHA256

    ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

  • SHA512

    adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

  • SSDEEP

    98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes
  • encryption_key

    23E5F6D22FEE1750D36544A759A48349B064BC34

  • install_name

    PerfWatson1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    KDOT

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\built.exe
    "C:\Users\Admin\AppData\Local\Temp\built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\built.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2288
    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2756
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dFqfZtqdAnHg.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2824
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:540
          • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
            "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4596
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:880
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ulx5LocqN2cm.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4420
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3620
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2672
                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1956
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4184
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oedyIkyhmOPi.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5028
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3380
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:400
                      • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2668
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:3376
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K16VMDbSzbIx.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1768
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4484
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3876
                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2924
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1260
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vrRLkJTyxoh4.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3864
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4896
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:1860
                                  • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                    "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1196
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:752
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vv0cB5fJV0pZ.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:764
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4984
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:2180
                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2808
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1256
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a9hb1XbesWap.bat" "
                                            15⤵
                                              PID:2292
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4844
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3488
                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:232
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:556
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Jbf8zROjEku.bat" "
                                                    17⤵
                                                      PID:1348
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3464
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:3392
                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2064
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3836
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XG3EC06BpxcN.bat" "
                                                            19⤵
                                                              PID:1052
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:1388
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:4864
                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5028
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4320
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcN6Ozq6dflL.bat" "
                                                                    21⤵
                                                                      PID:3952
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:1404
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:2864
                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4720
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1872
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQtdjBepjV2K.bat" "
                                                                            23⤵
                                                                              PID:4204
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:872
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3812
                                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:4688
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4588
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5hjLr7LncdKx.bat" "
                                                                                    25⤵
                                                                                      PID:2348
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:3840
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:4284
                                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:640
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2464
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CJnYFIBRxc4G.bat" "
                                                                                            27⤵
                                                                                              PID:1256
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:2644
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:2856
                                                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:212
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1760
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cScKlMb5KUxR.bat" "
                                                                                                    29⤵
                                                                                                      PID:624
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2664
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:3816
                                                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:740
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:932
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q2u3emh0rcWk.bat" "
                                                                                                            31⤵
                                                                                                              PID:2372
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:1956
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1536

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\5hjLr7LncdKx.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    fabee1ba80307ed0de71238fc1789b2d

                                                    SHA1

                                                    009bd232e64128674dd4a0ab267ce97f32497382

                                                    SHA256

                                                    7d12228df26b3115949863f571bbb8b4e5ac3b869d0e8947c45e551160c99523

                                                    SHA512

                                                    67a24cbd0fe6fb727bc82d8d924dfa024dcf74ec5b4f870aa6fd1d22c3df94c9505d8cf530cec54d638dfaf2237d16e9f5fe591b8371088fb9e76297bf50d70f

                                                  • C:\Users\Admin\AppData\Local\Temp\7Jbf8zROjEku.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    477e0adcdfc99f694ca94463332ad086

                                                    SHA1

                                                    47d3267a1d040f27ea24254a1bc5d644d1a333fa

                                                    SHA256

                                                    47af6324bf7723ff83c7c3fdf1982eaca9e4f28efbb8b0b1e954419fa7cf7af0

                                                    SHA512

                                                    d1b7041fe8a21f210618fc530845954f2260a23eaba7336be87a876e677c7501529b12d0f9d3ea787c96a8f6b6c7eed2920f1aa14c498bdf340f6b357cc26486

                                                  • C:\Users\Admin\AppData\Local\Temp\CJnYFIBRxc4G.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    1f7a8a177db56c22286d3150a6fca047

                                                    SHA1

                                                    e1e144336f37789ad838d0180e32a7387473a68c

                                                    SHA256

                                                    ee351cdddbc6c4616c21e0ce0372cf7a4b0a7c29a25e53d97a17ad6c5f2c530e

                                                    SHA512

                                                    bb380dc33225a1f320e0d519de73ec2172ff51b48bd7ba8457d3de1230b98ee91d25617a2eed20a6610772aeaecaeb9dfedd7121fc8418653bd391d57a18e0c2

                                                  • C:\Users\Admin\AppData\Local\Temp\K16VMDbSzbIx.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    791458ae18a561e4eb50f3b8925d723a

                                                    SHA1

                                                    086124f6ef812e93e8849ae8befd5f46b0c591b7

                                                    SHA256

                                                    3b39dad7640cc26e0eb6708cb4fcf49b7e5948d50409e3a063b8aa4e833da6c7

                                                    SHA512

                                                    64e71ca7ada00efd4e18e077ca62534be0985d3ec8d15e72d8baa99cd6746bf0b98b72a358da6fc01a2bf0357b9e56c2733ea58fe9e7be07b4aaff5b1cff02a4

                                                  • C:\Users\Admin\AppData\Local\Temp\LQtdjBepjV2K.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    3b503faeef67120fa801a828d3fce6d2

                                                    SHA1

                                                    02f3a6542b0153083f5359b1371d2d54ccd44064

                                                    SHA256

                                                    a422e7cc531a5d3c4a80a4cb7f87bf0c06efc098c8ad5679e2f2b8457eb4d300

                                                    SHA512

                                                    f41ff06a5e1bf2e11cb12f407f1c2cba64d126c3937f58bb26c824fa937fe5ab9abff2cd9de1c43959953933c88c3c8f0693d977ad498dea862353698cdba62c

                                                  • C:\Users\Admin\AppData\Local\Temp\Q2u3emh0rcWk.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    17edb97dc18d1d75aab2a14a953c219c

                                                    SHA1

                                                    2b146a61a37a8b3369dd672cd5e398870e135a03

                                                    SHA256

                                                    272663c4efcd969085d0a8b62b0583c1d71606c34198e89e40bcb610dffa2a5a

                                                    SHA512

                                                    ed8785dfd573b3ae7c2314a42dfadcc9cfd9cb4f40c56ebd41bbe654cc2477d211bc62472397907938f11363b60bc9f35f65894cf6ee33e81cd911b3cafd1fab

                                                  • C:\Users\Admin\AppData\Local\Temp\Ulx5LocqN2cm.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    50335859c3401b803676231c8816cfc7

                                                    SHA1

                                                    d52c8d5c233cfe52785cfa07b0ef9b474be3afaa

                                                    SHA256

                                                    b266ae5c9fce27d7389253494490534292998097fca7b301d2c9bbe8126e4c3b

                                                    SHA512

                                                    3ae1ba33470bcb77a89337911327f6c469c914f3a20fd5ae24812d0969b9f95bb5afa1b44de030752954d6040b9e46cabe7196a451a0c259f12dd847ca9aa397

                                                  • C:\Users\Admin\AppData\Local\Temp\Vv0cB5fJV0pZ.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    3080f7a3081fc82c989635756ddd1baa

                                                    SHA1

                                                    8364c42e4dd047d4cb69f16098e870b4fe596321

                                                    SHA256

                                                    090a5ab626ccb4de34bccb1f6b83d04b023240fbbca15031aec7572e77d42164

                                                    SHA512

                                                    4615010c32f69b21d9794eb543b2cb607c1af7c201f1743ce16bb3b4641ca0904b5c85555b6897e965f715fffb9f0dfff272e58bd4cc2e209ee708080417a649

                                                  • C:\Users\Admin\AppData\Local\Temp\XG3EC06BpxcN.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    9a01211698f3775d79b8f08804748db0

                                                    SHA1

                                                    f8b1715019970e89ec1dd0572148970e694393a8

                                                    SHA256

                                                    23b16eeeb4114a19ba99357d86edeb00633b31da07e55ac79ef6db2264d5c263

                                                    SHA512

                                                    b7394da7acec4dbc49db38cdb10e196da52d941b2363e6395244e8b7ea1ebe923b57807aaf373a5285abb9cbb0e56183ae279a011402843531604de1a53536eb

                                                  • C:\Users\Admin\AppData\Local\Temp\a9hb1XbesWap.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    2688f5ff4da732fa022ba57a5893d1c6

                                                    SHA1

                                                    811d4c6c8716e1b1687121fa3d7d90ad016c4b79

                                                    SHA256

                                                    bec47fd5e4286379f4003793e885384aab0bfa950f5fd0a01cee57b59078ac68

                                                    SHA512

                                                    1fc363924a49cbabf7ada15359a7c35dfb0671b810f046f686acfa20c3e06d4daca4aed83f442113ba5fbee4710cd2fcb4e9442e8a0c26364edfc5c2aa00dd2c

                                                  • C:\Users\Admin\AppData\Local\Temp\cScKlMb5KUxR.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    4941a54f12f38ad7e8096307a817508e

                                                    SHA1

                                                    637e86fc365c548f7dc0329dd3459267431ceabb

                                                    SHA256

                                                    8749c90fdfbcce3a87d984df56f3e675b7c9e3c7d98d8f813194ebe643cf403e

                                                    SHA512

                                                    6d576ecf4fb83f590909992b6b715a22f6ac0e43219b0eeff73166575da98c1fb5f5f17744d400a559c262d2a0dcce3a7b0a61581d898b85cd01a9900e0ca0e9

                                                  • C:\Users\Admin\AppData\Local\Temp\dFqfZtqdAnHg.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    4cbf8a2bb47e3d1ab63906302d62f8d5

                                                    SHA1

                                                    6fe657f4da0607a71b32aa0f249b595ce1f24ad3

                                                    SHA256

                                                    2abca790046882aeb21d67eb195add9b7e54c498c90979cb15b107f54ed3fcb1

                                                    SHA512

                                                    e255a3e4d7959c161debe33fde8b917eeb9130e9ca06a56d328049fa86c2733480d37c7d568cc1a71ee5544e731a80f8d808ca045bddba70ef19745e2dcaedf5

                                                  • C:\Users\Admin\AppData\Local\Temp\oedyIkyhmOPi.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    e962cd7c49d5e7dd8476a1a5407ba8ce

                                                    SHA1

                                                    e9bbcad4e01978a6e6d02d417d36341a7fa13888

                                                    SHA256

                                                    67ebf5b452fa3919ec72fdcebd912e8b7da68799b266068b07c48d8693865b95

                                                    SHA512

                                                    d4e3d42612b9c184ad7e862a289a68388bc9bfc8f705e870e69bce258013d76cfe31ff20591a291b7d411c7dd22e9a452cd85464bd07ffc495b337da58ffda27

                                                  • C:\Users\Admin\AppData\Local\Temp\vrRLkJTyxoh4.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    664fe2229a1eefad839c97205adc0d73

                                                    SHA1

                                                    e830c56d42e364c7051fc76ed74d82603afe5fbd

                                                    SHA256

                                                    0ac1cd94bfdf9970aec6c647df19e8021a9726f27959d0c36f8236fe1ec7dc5c

                                                    SHA512

                                                    fb1492308ff86cade54ce4e4f881cc1aacba5ad3f1ceb3e2c24756c579e08fe7835721b6694cf2bbe2db58dcd0f3ee93f74df9a469c34cfe24a51079a4f2bce1

                                                  • C:\Users\Admin\AppData\Local\Temp\wcN6Ozq6dflL.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    780ef0fa68f61eda2f3deae892366430

                                                    SHA1

                                                    c08dfcc94b9f820dcc2124f915470f3d48c67134

                                                    SHA256

                                                    ccc1af8aec396bcb347accf16748bb209b3490a52e223000cc5f049c4449ad12

                                                    SHA512

                                                    939d8bf96c76425c012451e0cdd9bff7f84be4d615a8a85e9dda21a5190fbd523cae66fad672420940d6168f57b96ce4b94265f57c6a61f3713dc7bbe60205ff

                                                  • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    a813f565b05ee9df7e5db8dbbcc0fa43

                                                    SHA1

                                                    f508e738705163233b29ba54f4cb5ec4583d8df1

                                                    SHA256

                                                    ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

                                                    SHA512

                                                    adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

                                                  • memory/1260-0-0x00007FFDFA733000-0x00007FFDFA735000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/1260-8-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1260-2-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1260-1-0x0000000000A40000-0x0000000000D64000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/3984-10-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3984-9-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3984-11-0x000000001B0A0000-0x000000001B0F0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/3984-12-0x000000001D340000-0x000000001D3F2000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/3984-17-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

                                                    Filesize

                                                    10.8MB