Malware Analysis Report

2024-10-16 07:21

Sample ID 240627-qppxaatcmf
Target Loader.exe
SHA256 e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d
Tags
quasar blankgrabber asyncrat xworm default slave execution rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

quasar blankgrabber asyncrat xworm default slave execution rat spyware trojan

Quasar family

Quasar RAT

A stealer written in Python and packaged with Pyinstaller

AsyncRat

Xworm

Quasar payload

Detect Xworm Payload

Blankgrabber family

Async RAT payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 13:26

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 13:26

Reported

2024-06-27 13:27

Platform

win10v2004-20240611-en

Max time kernel

43s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639684300415389" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4236 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4236 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4236 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 4236 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 4920 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 4920 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 4920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 4920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 4920 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 4920 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 4920 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 4920 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 4920 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 4920 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 4920 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 4920 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 1992 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3692 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3692 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 3380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3380 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 4868 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 536 wrote to memory of 3280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe2934ab58,0x7ffe2934ab68,0x7ffe2934ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 147.185.221.20:25844 finally-grande.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 stop-largely.gl.at.ply.gg udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 147.185.221.20:27116 stop-largely.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
NL 23.62.61.192:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 192.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 147.185.221.20:27196 best-bird.gl.at.ply.gg tcp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.156:443 i.ibb.co tcp
US 8.8.8.8:53 super-nearest.gl.at.ply.gg udp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 156.58.19.162.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.145.187:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 187.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.20:17835 super-nearest.gl.at.ply.gg tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp

Files

memory/4236-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/4236-1-0x00000000003B0000-0x0000000000E44000-memory.dmp

memory/4236-2-0x0000000005850000-0x00000000058EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 bb57e95ad7ac1da6307c62d2e75a7e6d
SHA1 403145af8d0e5260ff0bb9eacac51e9a667214e2
SHA256 e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
SHA512 12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 5377e3b94429dc03de4ad493a4dc8071
SHA1 f12d5b92c0af3ba5efa623f36ace62428bf29cc0
SHA256 3d95d7835452b6533f132d079f43ebf337fb7fa6e8f66a8268331d894dd0ed68
SHA512 2a1db554f8c2076d94ecf947628c7d4c5f94739ed678bed0ff180b981ae6d130e9f642d7a23fcceb37273f3a5c2bf29c18fc7b6820878c72e8080cef27e66bdb

memory/3628-23-0x0000000000090000-0x0000000000A70000-memory.dmp

memory/4920-28-0x00007FFE2EDD3000-0x00007FFE2EDD5000-memory.dmp

memory/3628-27-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/4920-30-0x0000000000F30000-0x0000000000FDC000-memory.dmp

memory/3628-32-0x0000000074DF0000-0x00000000755A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

MD5 092a0c6fe885844fd74947e64e7fc11e
SHA1 bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA256 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

MD5 e10c7425705b2bd3214fa96247ee21c4
SHA1 7603536b97ab6337fa023bafcf80579c2b4059e6
SHA256 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA512 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

MD5 27fe9341167a34f606b800303ac54b1f
SHA1 86373d218b48361bff1c23ddd08b6ab1803a51d0
SHA256 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA512 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

MD5 1f1b23752df3d29e7604ba52aea85862
SHA1 bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA256 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512 d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

memory/1992-87-0x0000000000C60000-0x0000000000CCC000-memory.dmp

memory/5104-91-0x0000000000CE0000-0x0000000000CFA000-memory.dmp

memory/1992-90-0x0000000005B90000-0x0000000006134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

MD5 4daae2de5a31125d02b057c1ff18d58f
SHA1 e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA256 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA512 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

memory/1960-94-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

memory/1992-93-0x00000000055E0000-0x0000000005672000-memory.dmp

memory/1960-95-0x0000000001710000-0x0000000001720000-memory.dmp

memory/1000-74-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

memory/3692-55-0x0000000000970000-0x0000000000988000-memory.dmp

memory/1992-97-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/1992-98-0x00000000063E0000-0x00000000063F2000-memory.dmp

memory/1992-99-0x0000000006920000-0x000000000695C000-memory.dmp

memory/3912-100-0x000002084D0F0000-0x000002084D112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxg550wg.dqc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

memory/1992-124-0x0000000007070000-0x000000000707A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

memory/3692-150-0x000000001DF40000-0x000000001DF4E000-memory.dmp

memory/5104-151-0x000000001C600000-0x000000001C60C000-memory.dmp

\??\pipe\crashpad_536_TJOSDBZDICYJBPZG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9bdaa739899cf2f855c093dbd2f8acfd
SHA1 c2efb0f0d215aa6d14f7fe800a6b55c937d527d8
SHA256 812670250c97fcb9aa82090181297f36dcaaac5f61967726f97df28e98a26cc8
SHA512 1da88a9a2906b7c2b1b258b3d302b6c95a3c0d8aaecf62751968cbe0e4b6db12654a229b5dd349d29272aecba6eb5905f9efc78f8c21b3d3ce729f4e0055fb1a

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4c712497900f75b866eec4d422f7c73c
SHA1 2757ec1afaee15e3748a023819e02696f4478ff5
SHA256 ecaa7537867822de84f048dcda3365341142f8b210e35d0ec9df8c796ec915e5
SHA512 d8826b126de058ef689605d71f43a019794819c722bb78e4e1e2403aa97c1f01aec1b5e30dec3e6c185ec300355107a1372f04d0f458ee40278e58c660e39a2f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 08b719fc8b1faa8392e664ff950cffeb
SHA1 ee54a021b2f191da23216ebfa01c0f35bdc6643b
SHA256 a6cc2ea858386a95db5b8cea936fc2b4f9339b23a28760c210c675c6b5e9daf1
SHA512 5a21f7789fe81171aeac4b9a260a78d87062029ac9e939abe10b4e9598aa3f8519922781cf84b2d33eb96085ab6d782a8c8f01df9d394936fd94c3115dff4b95

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 b98cef8a6bf3a3188115af4d27f32e68
SHA1 cc96617a8cca22d746502ac1dd94bbdf016dcb13
SHA256 dc9b54e1635a1ce0c0510d750e7714233ffb0b97e287b3d7885e282459fa2006
SHA512 53af40473b29c06b1c6ba4e1904774cc1fbba7477ba0f5325ebeba4a2c7c0c66b07c8126faf128ad38260db8acf5a2ee3a1b2b43b3ff5a4238ad7d5aa1286b60

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 0f46f5b97b7b1549c370e3689e704830
SHA1 c0770bb19f2e1051498b86f633b141c1af0dc58f
SHA256 a5065eb5dcc7f5cc12f27eee58484d0eeb956df0580c5653254eb638b6356f12
SHA512 33d67fb425b822023b30ddbae4910241d33aaecacd016e5973edc9a2a24e6746c57f040d9a6e23f6cfc4b6e4c3b38ffc400cc68609d2ba9dd96d58cf6d0ff9a9

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 a1e7a4289af543bdeb5af9fa773e7230
SHA1 9e8ca149c9fea30a2f8d0a0237ef94d3c8726753
SHA256 6a6b0c6f0cbf1c4b2a80a0eee3571efbaa2e905c2fddcb5dd276da760073a3a5
SHA512 163fbddf2e23d65cb7cdd9d803e1fbd73441cc78ad26786ac12206741529a5660b7ead7f547ad8204372cf15b9f7e6f06d4fc1bcc6287c48d4724f2d1e69ba02

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 5f5470ec040c87e887e824fbe77c2c54
SHA1 7129747c331ee055d8286685a6f5036d183cdd9a
SHA256 7ad7fefb37d23f4f372f085af456ada33f544230a847faf0ae24c381151d0bd3
SHA512 525322b8d0b6f6c17f26254a1629f2a709561cd9509f0aa706e8112732d8557c0d8f8c6f45808f853efa33e35a088b07e900549f35e6fb8d31f3a85a456ef15c

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 0bb561ecd8f234c9fd475d9215e10b94
SHA1 026a44da3b4d604cad10cebcb25dc6359ae2a3e6
SHA256 313d21c1ae3ab596a7a5d46b52aa09df7d4b852e0a31ae2976ce95e864df25b4
SHA512 97eddc4a44d64f0f99a5e1ccb2d37a5da82bace42b7e2dc7cb07ca2a522742c4dfc7ccc2cf4a44586c7aedaa45301b9bd87c9435a1284fc82bfcf65996d47eaf

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 af994d2b7d11de7ae48c9d36fb5d7c54
SHA1 49a27f6c8f8a8292ea8c215840bce60fda53188e
SHA256 b37a769ad8b72e0f2a5642d188ed36e39e238bc2a03ca72deddaed14d6c75ccb
SHA512 dd6d548b1e1fb61e714498187062b9b0fe094ffa96fc23ed4a41071cd7e6580a9a2c093a105c638e54e134b3c56002be05477ba22ed55acd7fde9f0a87a24c95

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 c04dc16f309eb7e34447d25ef71af733
SHA1 5094928858bef28c5d69113cc9a67ba070b4c3cb
SHA256 7d7ffabe7fd2289d1a0ede208567fe1a9623094d6b4d4f5d76f1a2a9c7508615
SHA512 00f92b74f62976e7670b8bc3127df8d357e55dbb63673252a0b5427d01529bbf2712949bc7555b916492340b7535afaba73c11ef74da9e744f300d2f48715569

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 756b5aeb068e97da616298860efdabe5
SHA1 af78037d6aa9c412756938f3231a983f1cdbaf79
SHA256 7dbc60b61fa88a1968eff3708988ecf0f24842f0a9e633794156bd7386241c31
SHA512 987ea48ec6b7f250e01be9002fccb47cb643a0194a0fa7e9b9c9298135a4cc5ed1f76414cb8f95abaa6cfebcd29e38d320b0f3ac484b4d912bba68df4a7aadf6

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 64a81ceb8870cf547096a7693f3db24f
SHA1 8e9fc9a7bb3a434d08624b47e403f294d336433c
SHA256 4dadb2abd08bb524a6d5f174816d0cdee26abfab313c2565a28053b488b1c665
SHA512 ffcad06611e5f6d609f05e22e8ac3129f0e1976b6d5391df8c09cc4587080b6b1e7a6d8183bdcec9b77f1482e2adf7e5e9f017204cbc1eef92b13e87ed18e82d

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 a8b1c4d239ffcc2b4374cbbd403df169
SHA1 6008faf7a82eb4b36c38cd2e5f30b2e05cf64092
SHA256 4861b4bb0e68970cd26340ece2e8a456a67665a6662cc88040adb48a3c39ed63
SHA512 34da172ef6d3ab08511d999edf241ced9882f763366290c973dec5f9b9c9d258b6f45086dbd2f11fdaa22750d5c3e53b7d9166734dd88e8151ac5cf9ce6eddb8

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fbd612a1981680f61b14dcaccf7f6177
SHA1 ba8ffc40088f14167fd1da998257ccab2f262ead
SHA256 1af623bf913b01b4cda608a8a4b1a3af139c0e061052217c55efb7252204538b
SHA512 61f463901fa31c1b9177a37740312f6a3d6b437a2329f98734154731df5a97fa90f113fa8a482e34f0546da72463209353191634839b089dca5b627fea6f4a00

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 f5d75f26928666d5c22e55611185a42f
SHA1 80fac27b19e240988cbfb8204c911122687f1ee3
SHA256 97149858ee695bb5203f2e42c7858379710644c578b6bcf0f1659e3631d1ef14
SHA512 01cf8fc44a7ab761c707d5b6c3d4c73a79b8afc40667b84183a8930f7880b4e8da683c5ab34096125dbd9ac7a83cd51c92369a435150a38abe5e6a7cf1e9a663

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fa8a183d44d82873cbdb5f6ad4b91d2b
SHA1 997e17a1f32814bee0b802af135a0a294c3aa02e
SHA256 6c38775804eb1af118b0cfc6952f19ae2d372f647bf41776d520f4179092d3e9
SHA512 557e8a2295d2dbc3cef3d490066e262ee8a5582eb2c2a1b733a15376bf43256218aa5fbe8d12a10750d45d04dc0adc5a1589b85e2eff0db5d28439627320b99f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 38f08ed7ffd3920fa65727e4114357d5
SHA1 295cf4f1eb6cc4f5e2e0d48e713c1d9c20e5961e
SHA256 f07075a24f36d02ef5fa726c1e2f1ef6df8e72d538ade162f0f5aeeb6c6cdbe7
SHA512 680f0b93d42ec7cba9565a4b0587edf8c6b6c9c76d42fc5ccf1daf8ea97b26794400a83f776c635bd01774e671097411f513b373c5cac0c4d34bc7c779caf69f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 016cc79b8a964ecc1fc54d4ef742922b
SHA1 cf7e5277e6f7c7804f3e800810fa11275f3b53a5
SHA256 7a7eb61d0ed7489b0b5a6a7a7ba4f462161b17b91c29d7b510a3ad04e1dfe816
SHA512 b63d9994310c183c6570d28e9fe1c74889868c59e0d12b5c9f20befc9727d4afb69f53cb374e939b5f16a273a63afb02e2f5d78d44561582d3c5420d3cc5e434

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 dc395163125efcf31ac0ed395cd155ac
SHA1 c6f50cc98b981e9d1af06c6526b3e422f7c298bb
SHA256 0f3a9c337be9821f8c3a0ecad4df950a47cfaacb7a3a44d41d54408048c5c87d
SHA512 c13f4403acfc910af287808fd21cd87301c206df53390bf484008c8e0f5fdff700fdff64f22480e3d6c3e8b058ec672df4f42b9078435857f0604e85aa07cd22

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\129b5755-0d2e-4e01-abac-f83d5cb1dc4a.tmp

MD5 ec64a4531a43c7c3fc9492b4db109bec
SHA1 aa88fde26ad0b3601fe16be1ade951a509d04f61
SHA256 d3cee595db9e97d6d1866b7c563ad5f3b21b76eda00d85012e64c27a8e95810b
SHA512 eb26d746d20281110e324d0667ed6f748bfe56bb15f218b3b9f04c67dc054b53b68fd64cf7d47de7ad1716e98f3fa591051b16c3872452dedfa94e1a5286ce33

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 85074154f807af2cf0a391a32ef15a15
SHA1 7c1ce7824dace2b5592ac28ab0963427a260f15f
SHA256 d1d2410eb9c4638f496a7ae351922d27a5de7ca82796340cbcff79d5f624a46f
SHA512 452c96eab3db7509d6c83dc71494949ae9b62df438e868141fcd201250ed803f46806c20a1097543903ae3a64ccf0d9832a533174ba23e683f92bf8e8ec845b5

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 d157802b60894b4de9ebef8c24abc9ca
SHA1 c374d08bb894c99f00e27c565cf82d27efd24ee6
SHA256 1ed8ba353a840c53713bb50840d59f0f5fd96862bc143ebf05ba278918e65e9c
SHA512 9d2ffb201d5b8a7136200cdae344d75c65dff039c8bfca4b8425e37ce361914633e7b4f1e6e7988dffec67da1f98f7e9229d3fbabd835d37a4161de89cee490c

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 182976aac9ccb9ac9ac522b3f93eeb64
SHA1 34bc2f650a3d4a8ce388b31eef3b26adcd137cb2
SHA256 0150bd83bf7c69acb0d22ca784783e82ac412684a58326e61ed8c65941c95d6f
SHA512 bd1f63821e3f75d02dcee1607ec18f6110132d9b9dad176130c93d9b891103195f66058332d3c0257fe8ee47dfc15b5e8820badb70701a5cf584ff5a0c82eb0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8c4f43f7647bac41a0b2798c6719667f
SHA1 7f5fdbf92a35c51c426508797b8a26f39efa6b34
SHA256 81c140552be67e6b6f9d5c2bac96344caef83557d998073e7e693833539c6e5d
SHA512 eb5249fb51861b5147d973726c4204ee353d952a346e623d589b3e9972d56f150a7dc8b9570613773cd207abef408efb54d9c40f0df905147b8c63111dbff443