Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:06

General

  • Target

    8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe

  • Size

    3.1MB

  • MD5

    c2281b1740f2acd02e9e19f83441b033

  • SHA1

    bf321d96b83261e5487f06c9c0ddfc75786c7c8c

  • SHA256

    8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

  • SHA512

    0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

  • SSDEEP

    49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes
  • encryption_key

    23E5F6D22FEE1750D36544A759A48349B064BC34

  • install_name

    PerfWatson1.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhost

  • subdirectory

    KDOT

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
    "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3408
    • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3008
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hXapDOCgbm8Y.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:244
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:640
          • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
            "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4532
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2100
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z8uPENftteXc.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4504
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4552
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1844
                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3420
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3040
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zL5vNQCFyE29.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4584
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3252
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1564
                      • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:388
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4024
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbs2NoRuztNO.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1560
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:2160
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3392
                            • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                              "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1648
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1360
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZruSsNFAEu2M.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:916
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:4452
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3560
                                  • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                    "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:4404
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3412
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x1e42oGGWk8Y.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:5056
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4304
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3464
                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4064
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1112
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTmuh0KukOhj.bat" "
                                            15⤵
                                              PID:4532
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:3340
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3564
                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4376
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2440
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIsITm3X7Qoi.bat" "
                                                    17⤵
                                                      PID:1900
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3300
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4696
                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2268
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4036
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWVKi0OTN3rl.bat" "
                                                            19⤵
                                                              PID:4356
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3068
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:5096
                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2160
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3980
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaxZQstDCyRt.bat" "
                                                                    21⤵
                                                                      PID:3456
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3576
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4412
                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1096
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1968
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f1WhqVtXd3mi.bat" "
                                                                            23⤵
                                                                              PID:436
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3460
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:1612
                                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1040
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:3504
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D150gwn3jFi.bat" "
                                                                                    25⤵
                                                                                      PID:664
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:2208
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:640
                                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4460
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:3064
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7MaXXPJuOtxV.bat" "
                                                                                            27⤵
                                                                                              PID:4548
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4552
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:3536
                                                                                                • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2704
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2136
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFD5HFdM99B9.bat" "
                                                                                                    29⤵
                                                                                                      PID:820
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:4588
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:3300
                                                                                                        • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1372
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:2676
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THwkzRID0D9e.bat" "
                                                                                                            31⤵
                                                                                                              PID:4712
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:1320
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:2868

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\1D150gwn3jFi.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    75afa3c834574d173e6f93864528c9ae

                                                    SHA1

                                                    7951e26931ebd77ed34c14ac9968ccd854ca868b

                                                    SHA256

                                                    dfa19053e098012b5cdea7ab33f9c46d37a8838a0dd348f4c812c05bf989fabd

                                                    SHA512

                                                    76b4d663857baa852d3dfed2bd1ff4a54390ecd07ef839583df4b06f2ed314926986695f36e9be69b7a021646bf60db4a078a0bda65e7b2617da590b608c36c1

                                                  • C:\Users\Admin\AppData\Local\Temp\7MaXXPJuOtxV.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    a03580ab868573fa13c1744a7115fdbd

                                                    SHA1

                                                    9d3e1286449a5e6a854d5bd87a7d1e5e1617da4e

                                                    SHA256

                                                    bb4f288351dc2f5fa19cb527196ffbd7bac28e0b0e19a12cc7dab01216c9a0fc

                                                    SHA512

                                                    3f21142ace3a021dba0e47c487851d9433755148d8dd4e6859ee88cb6a1dc0152115287e6045ff23faa5e6cbc9b3433810f73514ac03ea62f93b22c164751e17

                                                  • C:\Users\Admin\AppData\Local\Temp\KFD5HFdM99B9.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    2a5bbefa529f5f7f46e04bbe562d683a

                                                    SHA1

                                                    544f3994f3718d7cc86bac0e5fd65a787a3a6c30

                                                    SHA256

                                                    54516c0697fc3a76b8492fbc06b155ffd31d86ba9b6ba4b331eb49b787062014

                                                    SHA512

                                                    c0cdfbc410068117b7e8fa8dfffb30c944ba24955aa801a8e97b4a8689e230d89f4884012ea5e52b514018634022966d5c7be4124a62d885d927d7af784e0747

                                                  • C:\Users\Admin\AppData\Local\Temp\THwkzRID0D9e.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    bd3dbaa844a8da231c100ea2d78a4d69

                                                    SHA1

                                                    0db65bff3611f40e32e42bfe3ff0e1eaaaaa77ad

                                                    SHA256

                                                    f565ff0cf9a32f4b8452cdc1644fd83c5ac0e558035ac94f2b82a02bff91d41a

                                                    SHA512

                                                    418de43f658f56f656fe79645da2d26a2b00efc02e9bc44f8bd765ff451bf7bb2e902863086e806d9a15e5f2b0a7ab65bca5d709198ca4a8399aba51ab98b094

                                                  • C:\Users\Admin\AppData\Local\Temp\WIsITm3X7Qoi.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    1e04d176c7c6c9b295bf0a6ed8f0344b

                                                    SHA1

                                                    a28e5c5161cc2300491009578b3122948c603e93

                                                    SHA256

                                                    1ef56ec553eac946b12484d7920ed0920c749110e9871454a24a66b8d28e8f9e

                                                    SHA512

                                                    3354f5037cae5f785b7de901fafeee674c9a57b301b84883d3685f8ca820af11469162f47feb09f30b91325654039327f4ae59f7a6c6f06f16456b14eab3c517

                                                  • C:\Users\Admin\AppData\Local\Temp\XWVKi0OTN3rl.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    d69412b0456de713b5d9e7fad4c671a3

                                                    SHA1

                                                    00f3013219141bdaa0ae0ae48c0e18a1cb6149ed

                                                    SHA256

                                                    84e3349f06248a3f65f30a21bf12dd91fff76ad976e4e24c5ea2a0e24f1061a2

                                                    SHA512

                                                    0c725b28b23d54348f3e9704adfef9380e90ecc13cdeb0b37732b251181a9aeca0f9c485088098e230e2ca3e9c7c38fc92aa92814e49417fe902f0f7612765d4

                                                  • C:\Users\Admin\AppData\Local\Temp\Z8uPENftteXc.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    5ec7353010b981e537b4334c46c41dce

                                                    SHA1

                                                    9a2b60533af0aeca159c35c217a1476601da24ba

                                                    SHA256

                                                    95ba8250371516e5b1233acdaaf88ac8855b8e7432ea37c455f66d98ff45f8d6

                                                    SHA512

                                                    9bff76230c89ba28ad6be8744a6d4759658f3624da2327585879c08d2b57b9f886391163b5bc952228626def0d399ea9c8286f5f4338d6b79831da9885699750

                                                  • C:\Users\Admin\AppData\Local\Temp\ZruSsNFAEu2M.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    9e4914a8c9a450a2f848e4428724a2b9

                                                    SHA1

                                                    c47efd1df200953b22ac3e2db91e7891bfc7ca91

                                                    SHA256

                                                    d4555d1e2f78e79940dedd5a3e41d0ca799b7593dd4cf72d9918db45bf285020

                                                    SHA512

                                                    206ab3de3cddc41bf83b7b655ad85c4a6f7d0ac22267df86b2fa7ba7e69604f3d3df6fe4d0d11247cc9818037d15effb1639a5090fada2975c308f3fbe338104

                                                  • C:\Users\Admin\AppData\Local\Temp\f1WhqVtXd3mi.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    422d67fe22da8a49c6d2867f8abb98af

                                                    SHA1

                                                    c0c000391a308022a9880857f9253e589a58f432

                                                    SHA256

                                                    f6038579c108e5f91fc0059d2abe75fbea6332f12fe4878b4e29174d5e76f6b0

                                                    SHA512

                                                    3ce7608bc4f352ed7c93cf31f0eaaa4639e288e4c7280e0400f1f26b4ef80d0d994fd7a154e7a773b51afe8b25246de08fb3ece1b1c6e333b285359d74fc418b

                                                  • C:\Users\Admin\AppData\Local\Temp\hTmuh0KukOhj.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    caff42b900a2575194a11a151dbfd483

                                                    SHA1

                                                    f330c92ee7562b166edb91e71606a77ba24f20bb

                                                    SHA256

                                                    5677907713abd45c80ed08d27f1a9cd89e6e10dd15789fcfcdc09507d057beac

                                                    SHA512

                                                    bbd31cadc5bff6fe03321db64ea533e67ccab4dc63f658abdde6ea124982c8d24eda38c2c7d77d8d73a421dc7424d92a974520ea908b20a8542769fbb45b083b

                                                  • C:\Users\Admin\AppData\Local\Temp\hXapDOCgbm8Y.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    a6ebce934da39235b78e4205a78d7b6b

                                                    SHA1

                                                    70abb9ae1680c02aacd3768409afb9828371154c

                                                    SHA256

                                                    e917b8b5726e9d562e63e5b7844672b14c6ff9a2fc7065cdda65845a6415441d

                                                    SHA512

                                                    2c5772b1f0a79e739ea5a13afa898b7adc80cf5d52394f10c188841114e318d77777ff6ff2cc2c73df7571709abe22290f8d6745fcd2679e0301d68a1657d29d

                                                  • C:\Users\Admin\AppData\Local\Temp\oaxZQstDCyRt.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    fd887cb1a14958cff57ccc1140d34c87

                                                    SHA1

                                                    83f0ebb7e2270ebd60091592d56ffaeecdd8ee37

                                                    SHA256

                                                    cc42ea723578b199a015d0a18fe712680f0503fecd2ba7d5ae337aab32f8606b

                                                    SHA512

                                                    665edd0ebb521535fae957a4cc8387717a542fff4a641af685cf27dff8cf2895b7f8e03c980c802e710f806f2d14c14d64b576ca1e1f0ea5930a022c880f28d7

                                                  • C:\Users\Admin\AppData\Local\Temp\pbs2NoRuztNO.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    f29eaaaa365de0a42e7c3d2e52a3c1a0

                                                    SHA1

                                                    46fde6ad168300f45351bf67a225e7171ce3bb13

                                                    SHA256

                                                    99f9b8ba3a27acb38d72723b60f98ba3a910855e45ad2b0a3786e451a18eccc5

                                                    SHA512

                                                    02e9563b6f549ad48328e2b53cc0b7fe12727b5181375eb3dbbb54f74f65a83c98084087d3f1d8c763aa9acdd82fa416ed7ce5becfcf50251e38f6938c5c2f1c

                                                  • C:\Users\Admin\AppData\Local\Temp\x1e42oGGWk8Y.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    84da01bb75803e4ff90bebdffffa2c3e

                                                    SHA1

                                                    ee4c0c0d68b3e8ea69ce3e8ac45896798b049f39

                                                    SHA256

                                                    0cac40db36589154af098d01ba3810bd6132ad7862af628dc041674d6c14563a

                                                    SHA512

                                                    f74f1006c763981b64e30735e6817180303589d3a9d889767ee55b21464f4ca543e9b27553e9143019ed815da461917b8a10b69d418653d5fe2571c86d8ff003

                                                  • C:\Users\Admin\AppData\Local\Temp\zL5vNQCFyE29.bat

                                                    Filesize

                                                    210B

                                                    MD5

                                                    e59e65ad38bf6d0be710dcf433573eb5

                                                    SHA1

                                                    acd4b14c51db73cfcaec6cc0ab2ed1f3f3d8b345

                                                    SHA256

                                                    753cec8ffaf70fb3061fece736fe9b85eefadc3bb7ea1ad7f1eeaaddc8b7807f

                                                    SHA512

                                                    beed3d797fde20b5485fb1b6b39e7a67b93de02650c4e14597eea21b3abf54fc6dd97235456ca8d677e4dadd4bef03ebbcc769dc45965c1ae37208bd33ea9735

                                                  • C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    c2281b1740f2acd02e9e19f83441b033

                                                    SHA1

                                                    bf321d96b83261e5487f06c9c0ddfc75786c7c8c

                                                    SHA256

                                                    8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

                                                    SHA512

                                                    0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

                                                  • memory/1424-12-0x000000001BFD0000-0x000000001C082000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1424-10-0x00007FFCC7680000-0x00007FFCC8141000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1424-9-0x00007FFCC7680000-0x00007FFCC8141000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1424-11-0x000000001B760000-0x000000001B7B0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1424-18-0x00007FFCC7680000-0x00007FFCC8141000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5080-0-0x00007FFCC7683000-0x00007FFCC7685000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/5080-8-0x00007FFCC7680000-0x00007FFCC8141000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5080-2-0x00007FFCC7680000-0x00007FFCC8141000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5080-1-0x00000000002D0000-0x00000000005F4000-memory.dmp

                                                    Filesize

                                                    3.1MB