Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 03:06

General

  • Target

    8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe

  • Size

    3.1MB

  • MD5

    c2281b1740f2acd02e9e19f83441b033

  • SHA1

    bf321d96b83261e5487f06c9c0ddfc75786c7c8c

  • SHA256

    8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

  • SHA512

    0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

  • SSDEEP

    49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes
  • encryption_key

    23E5F6D22FEE1750D36544A759A48349B064BC34

  • install_name

    PerfWatson1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    KDOT

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 11 IoCs
  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2692
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lqaz25Dby8tw.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2652
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3040
          • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
            "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1032
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2912
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\O22Gll6K6l0S.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2008
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2888
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:576
                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2248
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\THOuI3GxjslG.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2776
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1332
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:292
                      • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1744
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1780
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\xaMqsbzA1iSS.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2344
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:2176
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1092
                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2208
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1628
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\1088ZImIrn2c.bat" "
                                11⤵
                                  PID:1508
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:2256
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2396
                                    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1716
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:604
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yaJyUAKPeoyF.bat" "
                                        13⤵
                                          PID:3012
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:1540
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:2268
                                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1440
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2300
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\9Vol0xjKgKlT.bat" "
                                                15⤵
                                                  PID:1576
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:2792
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2100
                                                    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2712
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2840
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HH4KbPuL08zV.bat" "
                                                        17⤵
                                                          PID:2620
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:2104
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:3044
                                                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2096
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:648
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\gR9QKGMyopwF.bat" "
                                                                19⤵
                                                                  PID:1684
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:1260
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:1988
                                                                    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2876
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2420
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\USuF3TGpRyC2.bat" "
                                                                        21⤵
                                                                          PID:1660
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:2520
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2592
                                                                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2332
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:448
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\YjADNl5pHr0v.bat" "
                                                                                23⤵
                                                                                  PID:976
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:2344
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:2056
                                                                                    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1732
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:1372
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3Afb08g2x8dA.bat" "
                                                                                        25⤵
                                                                                          PID:892
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:1640
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:1712
                                                                                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1316
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:2456
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nm30qdhTLDNE.bat" "
                                                                                                27⤵
                                                                                                  PID:2960
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:1796
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:772
                                                                                                    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2952
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                        29⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1848
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zXyDDATMW0dc.bat" "
                                                                                                        29⤵
                                                                                                          PID:2616
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            30⤵
                                                                                                              PID:2676
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              30⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:1056
                                                                                                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                              30⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2540
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                                31⤵
                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                PID:2752
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\GPVexyhmkGqq.bat" "
                                                                                                                31⤵
                                                                                                                  PID:1584
                                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                                    chcp 65001
                                                                                                                    32⤵
                                                                                                                      PID:2548
                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                      ping -n 10 localhost
                                                                                                                      32⤵
                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:2872

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\1088ZImIrn2c.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        32422620f97823d28ec42f08a2d91c25

                                                        SHA1

                                                        782f34dae84699bff745a55872904a3966d455b5

                                                        SHA256

                                                        0c87bd2042a2209ff59e671a299ebe1c661b8175dd231aca4c80a43d901c2bc5

                                                        SHA512

                                                        47fc2b730238c02638e6bfbfdc797e2e8360e35fff6b331b021a22aa40f63392e90057e2dd0a1281672731aff3d7b9127aef91f8cc6bfde2b11ac917d70639b9

                                                      • C:\Users\Admin\AppData\Local\Temp\3Afb08g2x8dA.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        1c78fb46365c835cc263372e9d051dc9

                                                        SHA1

                                                        46c802aaf748ec36215343d294f4f24765f116ca

                                                        SHA256

                                                        a161f3a4aabea6d02e7757f7ccfbda5ecb5390ebfb22da99f52c088dd6cf11a4

                                                        SHA512

                                                        a530ea9b9a56e6aa677ce7bac27cc96767fd0554d3afe1cfa3432dcb7a7028d3bcff73adaffd68403b0d59819a83d64972286cb88484a49bff5045ad73032a3a

                                                      • C:\Users\Admin\AppData\Local\Temp\9Vol0xjKgKlT.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        0f30cfbe12c4349764e3c51043e37fdf

                                                        SHA1

                                                        5ed377084a91896185ab9f9e4b17fd5fcac4b401

                                                        SHA256

                                                        ea0bbdea7e6ad649b1ca1d61faefe41c35196abce0b70f3f43f8cae670f90889

                                                        SHA512

                                                        079f6d4b8d08d77c0e1138f9083ef0a3f568f596f25d8e533c62a68003f94fdbd179968fe43a58be6a225f106548932976accace474f890307bf566d6f4ef60d

                                                      • C:\Users\Admin\AppData\Local\Temp\GPVexyhmkGqq.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        62689bd9d14234fde16545ec3e80f7fc

                                                        SHA1

                                                        3efab6233ac0068d4e80ec5ddfb18570c6ee72bf

                                                        SHA256

                                                        c71bab93ce4ed30f24badc52ffd0d9644b0d38670b273436ea74547cfd72dfdc

                                                        SHA512

                                                        ac63e6cbb7b275ad39d2afdda5d542dd16b7c445e20c37aa3c0e7c639f2d65d15baaf1e719ddbab21264551087fa2e7965c2443a9d3f4ea7369fa30bb0b2bdc6

                                                      • C:\Users\Admin\AppData\Local\Temp\HH4KbPuL08zV.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        9c424590c09ef0158a7ea284ae16867a

                                                        SHA1

                                                        2197963603482a387bbe32bc9a1e19d96ab89148

                                                        SHA256

                                                        b74f7a7d3dca984f1408ee80fea3683b683c7f099e85d560e251586fd025b634

                                                        SHA512

                                                        d5de291af4e37e78b5849c2d6176e871b9fd0676a86b12e9d289ea525b80f03c5b9397f72f25e3b6b08edd12f3e77c393eef26d6a00bbe68e8e4c2241869f1d5

                                                      • C:\Users\Admin\AppData\Local\Temp\Nm30qdhTLDNE.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        d0e77897f9e0f5a3392604eed8bbc867

                                                        SHA1

                                                        3b6ec31b8df6bdd19d05199f1538f626d31d1b99

                                                        SHA256

                                                        4f85f5f764fdecfab535f26b169a7f1a0c6ceba188cc6af4a53ce1a81f927a75

                                                        SHA512

                                                        ad7688a0fdeda87d978a68c5465ee5bb4f9d05d009b27fccc3dda1eca3b60edc8fb60e0715b1ded785d7f7a3cd0fdeca9351e72ea63a2c7ecef461992ce1198d

                                                      • C:\Users\Admin\AppData\Local\Temp\O22Gll6K6l0S.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        ff60f5fc057f777c79d481f52521bf0b

                                                        SHA1

                                                        5fab14422ef3238583f108707f68b0d68a9c4660

                                                        SHA256

                                                        3dd59bd2fa7a286007db2dc3bdf94554b9e0daf369ef1c32a2caf57dd53f62ea

                                                        SHA512

                                                        ed3c8cdaed04a8992273b1d3fc8cefc27e89dec3deb4c347f5e73347ccfa409573ca2d39f677db645dffb7fa2e9ac96f008c5c23131f5e0bb194149f11f460f3

                                                      • C:\Users\Admin\AppData\Local\Temp\THOuI3GxjslG.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        1ca5c928bd37c273ec6026c8b0ebfb68

                                                        SHA1

                                                        bae6c329725723f7a04774a1ac2c15bad9f067c3

                                                        SHA256

                                                        79568eddd3e0eaec1717afe687976eb21966a11363442e30ec3077f861df2883

                                                        SHA512

                                                        bb14ce95a4dc5ace89ba23da9e5b56f31848a87b4a81ead34ef63add807bb865c48565e9a4335ec05d47689fd86bb4e485c59c5e0c5a078cc2f312613aa99cf8

                                                      • C:\Users\Admin\AppData\Local\Temp\USuF3TGpRyC2.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        15de0b00a3dceb9566968d1df5664cf0

                                                        SHA1

                                                        6771edfb8497a0547caedcdee79e59f59bf10a03

                                                        SHA256

                                                        93660e441f63a6daea31214283ef7d9958b086b90573ecd632d3fa6c2bddfa58

                                                        SHA512

                                                        b3ccc642922f2eb90afa4ac21ccfaaa4c24c92420cf8de36757ed7f75fe0d71d69c868d657755dfb8272018fdcca5783b781df20c131f3afa8655df3de11370a

                                                      • C:\Users\Admin\AppData\Local\Temp\YjADNl5pHr0v.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        666fe438f72e82a940d0532db13837c0

                                                        SHA1

                                                        b15206cf6685474249810a27659017a35077bf3d

                                                        SHA256

                                                        051513f468b386834381ad97b267e75db55e2cb886271c19a99e5dd0393b9d7e

                                                        SHA512

                                                        cf2108336a64fe66879595e4405cc159a573798376a2e884dff5af0dfc57f584e5e4598a69137f58d50a00782547db0af12423be895ff7ffa2deb2fb1e4db81e

                                                      • C:\Users\Admin\AppData\Local\Temp\gR9QKGMyopwF.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        a770e5e5f223709d4ef9fe66734e1608

                                                        SHA1

                                                        0ed9156c1f0be7f51512f8a82e129a9ba942f271

                                                        SHA256

                                                        5635bd4510ab4a4d9472870c4e1f08924287e68b9787c05de8dd0311e6726d8b

                                                        SHA512

                                                        6c2243ebe8dbe12a01fdbf3458904100797c15a29285bc989b1081bd4c3db7666a94498ad8b75500cb6489992ad2dc032eb72f271a82aa7de21f026c99fa5096

                                                      • C:\Users\Admin\AppData\Local\Temp\lqaz25Dby8tw.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        3dacf9897686ec6248948b4c3cf121a0

                                                        SHA1

                                                        2a35603753dfb67929b498dbca03369bc0b2b9d3

                                                        SHA256

                                                        0147ab42440bee4a00299dee1ab8950dbbc336df2ed999d34a52a85d09f8becf

                                                        SHA512

                                                        4f71f823d23658870cf85d355ed87d421e8b2a5f6cbbdb596864247d1618000c27c9cef551e7b8162113cf11cdebba904484d9f39acc84ffadbd820244cb7678

                                                      • C:\Users\Admin\AppData\Local\Temp\xaMqsbzA1iSS.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        5f5253d8440274fb0e1ee857921f83ef

                                                        SHA1

                                                        b1998a467d2f94514a4507eab488a9da61eea8df

                                                        SHA256

                                                        b03380285c30bd8dc0a99ff65347f1b27e887d4555089528e97ad2a8a268570d

                                                        SHA512

                                                        b909a6bb349d797b3065eea2c566a9b6521713ed60d78c554cd98d068043fed15b8959706c29682faa5911ded8647b391a8522186f7bcf8d072f906adfc65314

                                                      • C:\Users\Admin\AppData\Local\Temp\yaJyUAKPeoyF.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        0ac1195de42edfe199d783be88a5eb3d

                                                        SHA1

                                                        bf3bd68e4e5da40cd83fef690af2f83081f00550

                                                        SHA256

                                                        713548e9336aa850ff9de7d56c263aa7f312563fbdb61bd2bc32a53625a1947d

                                                        SHA512

                                                        5629e292713d30ec0789fd88df65e7d00cbfbad2a3f06cf4d2e1c6a5176cf080c8e912b7af76e74b5eb387ed87cc9f8f205c28d05fc58aae35508f9bb4f4dc26

                                                      • C:\Users\Admin\AppData\Local\Temp\zXyDDATMW0dc.bat

                                                        Filesize

                                                        210B

                                                        MD5

                                                        fee383244696c7e737a81957db7a3ef7

                                                        SHA1

                                                        02104f0278c54c39c240632a99f843723a95b375

                                                        SHA256

                                                        204b3b3654348b0f538c21733cc01b9708084f84f5cda6034a5629d5ff6c1281

                                                        SHA512

                                                        c0981fe64e95ecb32b59c5033a89153dc05c3bb5df1cf9ed0655e371ee5526ca3b2d3a0b4ba8b2b0492d16d128491d8538fab11b328cdcf9d195a093f27a87ed

                                                      • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        c2281b1740f2acd02e9e19f83441b033

                                                        SHA1

                                                        bf321d96b83261e5487f06c9c0ddfc75786c7c8c

                                                        SHA256

                                                        8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

                                                        SHA512

                                                        0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

                                                      • memory/1316-141-0x0000000000A30000-0x0000000000D54000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1440-78-0x0000000000040000-0x0000000000364000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1716-66-0x00000000008B0000-0x0000000000BD4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1732-129-0x00000000002E0000-0x0000000000604000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1744-44-0x00000000013E0000-0x0000000001704000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2208-55-0x0000000000250000-0x0000000000574000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2260-7-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2260-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2260-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2260-1-0x0000000001130000-0x0000000001454000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2540-162-0x0000000000C50000-0x0000000000F74000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2656-19-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2656-8-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2656-9-0x00000000008D0000-0x0000000000BF4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2656-10-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2864-32-0x0000000000DB0000-0x00000000010D4000-memory.dmp

                                                        Filesize

                                                        3.1MB