Analysis Overview
SHA256
e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
A stealer written in Python and packaged with Pyinstaller
AsyncRat
Xworm
Quasar payload
Detect Xworm Payload
Blankgrabber family
Async RAT payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 13:26
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 13:26
Reported
2024-06-27 13:27
Platform
win10v2004-20240611-en
Max time kernel
43s
Max time network
57s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639684300415389" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe2934ab58,0x7ffe2934ab68,0x7ffe2934ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1932,i,11806328529207919040,5402828449677753268,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 147.185.221.20:25844 | finally-grande.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 23.62.61.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.156:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 156.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.187:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 187.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
Files
memory/4236-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/4236-1-0x00000000003B0000-0x0000000000E44000-memory.dmp
memory/4236-2-0x0000000005850000-0x00000000058EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | bb57e95ad7ac1da6307c62d2e75a7e6d |
| SHA1 | 403145af8d0e5260ff0bb9eacac51e9a667214e2 |
| SHA256 | e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630 |
| SHA512 | 12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 5377e3b94429dc03de4ad493a4dc8071 |
| SHA1 | f12d5b92c0af3ba5efa623f36ace62428bf29cc0 |
| SHA256 | 3d95d7835452b6533f132d079f43ebf337fb7fa6e8f66a8268331d894dd0ed68 |
| SHA512 | 2a1db554f8c2076d94ecf947628c7d4c5f94739ed678bed0ff180b981ae6d130e9f642d7a23fcceb37273f3a5c2bf29c18fc7b6820878c72e8080cef27e66bdb |
memory/3628-23-0x0000000000090000-0x0000000000A70000-memory.dmp
memory/4920-28-0x00007FFE2EDD3000-0x00007FFE2EDD5000-memory.dmp
memory/3628-27-0x0000000074DF0000-0x00000000755A0000-memory.dmp
memory/4920-30-0x0000000000F30000-0x0000000000FDC000-memory.dmp
memory/3628-32-0x0000000074DF0000-0x00000000755A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/1992-87-0x0000000000C60000-0x0000000000CCC000-memory.dmp
memory/5104-91-0x0000000000CE0000-0x0000000000CFA000-memory.dmp
memory/1992-90-0x0000000005B90000-0x0000000006134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
memory/1960-94-0x0000000000DF0000-0x0000000000DFE000-memory.dmp
memory/1992-93-0x00000000055E0000-0x0000000005672000-memory.dmp
memory/1960-95-0x0000000001710000-0x0000000001720000-memory.dmp
memory/1000-74-0x0000000000BB0000-0x0000000000BC6000-memory.dmp
memory/3692-55-0x0000000000970000-0x0000000000988000-memory.dmp
memory/1992-97-0x0000000005680000-0x00000000056E6000-memory.dmp
memory/1992-98-0x00000000063E0000-0x00000000063F2000-memory.dmp
memory/1992-99-0x0000000006920000-0x000000000695C000-memory.dmp
memory/3912-100-0x000002084D0F0000-0x000002084D112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxg550wg.dqc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
memory/1992-124-0x0000000007070000-0x000000000707A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3161f4edbc9b963debe22e29658050b |
| SHA1 | 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb |
| SHA256 | 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a |
| SHA512 | 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2 |
memory/3692-150-0x000000001DF40000-0x000000001DF4E000-memory.dmp
memory/5104-151-0x000000001C600000-0x000000001C60C000-memory.dmp
\??\pipe\crashpad_536_TJOSDBZDICYJBPZG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 9bdaa739899cf2f855c093dbd2f8acfd |
| SHA1 | c2efb0f0d215aa6d14f7fe800a6b55c937d527d8 |
| SHA256 | 812670250c97fcb9aa82090181297f36dcaaac5f61967726f97df28e98a26cc8 |
| SHA512 | 1da88a9a2906b7c2b1b258b3d302b6c95a3c0d8aaecf62751968cbe0e4b6db12654a229b5dd349d29272aecba6eb5905f9efc78f8c21b3d3ce729f4e0055fb1a |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4c712497900f75b866eec4d422f7c73c |
| SHA1 | 2757ec1afaee15e3748a023819e02696f4478ff5 |
| SHA256 | ecaa7537867822de84f048dcda3365341142f8b210e35d0ec9df8c796ec915e5 |
| SHA512 | d8826b126de058ef689605d71f43a019794819c722bb78e4e1e2403aa97c1f01aec1b5e30dec3e6c185ec300355107a1372f04d0f458ee40278e58c660e39a2f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 08b719fc8b1faa8392e664ff950cffeb |
| SHA1 | ee54a021b2f191da23216ebfa01c0f35bdc6643b |
| SHA256 | a6cc2ea858386a95db5b8cea936fc2b4f9339b23a28760c210c675c6b5e9daf1 |
| SHA512 | 5a21f7789fe81171aeac4b9a260a78d87062029ac9e939abe10b4e9598aa3f8519922781cf84b2d33eb96085ab6d782a8c8f01df9d394936fd94c3115dff4b95 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | b98cef8a6bf3a3188115af4d27f32e68 |
| SHA1 | cc96617a8cca22d746502ac1dd94bbdf016dcb13 |
| SHA256 | dc9b54e1635a1ce0c0510d750e7714233ffb0b97e287b3d7885e282459fa2006 |
| SHA512 | 53af40473b29c06b1c6ba4e1904774cc1fbba7477ba0f5325ebeba4a2c7c0c66b07c8126faf128ad38260db8acf5a2ee3a1b2b43b3ff5a4238ad7d5aa1286b60 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 0f46f5b97b7b1549c370e3689e704830 |
| SHA1 | c0770bb19f2e1051498b86f633b141c1af0dc58f |
| SHA256 | a5065eb5dcc7f5cc12f27eee58484d0eeb956df0580c5653254eb638b6356f12 |
| SHA512 | 33d67fb425b822023b30ddbae4910241d33aaecacd016e5973edc9a2a24e6746c57f040d9a6e23f6cfc4b6e4c3b38ffc400cc68609d2ba9dd96d58cf6d0ff9a9 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | a1e7a4289af543bdeb5af9fa773e7230 |
| SHA1 | 9e8ca149c9fea30a2f8d0a0237ef94d3c8726753 |
| SHA256 | 6a6b0c6f0cbf1c4b2a80a0eee3571efbaa2e905c2fddcb5dd276da760073a3a5 |
| SHA512 | 163fbddf2e23d65cb7cdd9d803e1fbd73441cc78ad26786ac12206741529a5660b7ead7f547ad8204372cf15b9f7e6f06d4fc1bcc6287c48d4724f2d1e69ba02 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 5f5470ec040c87e887e824fbe77c2c54 |
| SHA1 | 7129747c331ee055d8286685a6f5036d183cdd9a |
| SHA256 | 7ad7fefb37d23f4f372f085af456ada33f544230a847faf0ae24c381151d0bd3 |
| SHA512 | 525322b8d0b6f6c17f26254a1629f2a709561cd9509f0aa706e8112732d8557c0d8f8c6f45808f853efa33e35a088b07e900549f35e6fb8d31f3a85a456ef15c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 0bb561ecd8f234c9fd475d9215e10b94 |
| SHA1 | 026a44da3b4d604cad10cebcb25dc6359ae2a3e6 |
| SHA256 | 313d21c1ae3ab596a7a5d46b52aa09df7d4b852e0a31ae2976ce95e864df25b4 |
| SHA512 | 97eddc4a44d64f0f99a5e1ccb2d37a5da82bace42b7e2dc7cb07ca2a522742c4dfc7ccc2cf4a44586c7aedaa45301b9bd87c9435a1284fc82bfcf65996d47eaf |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | af994d2b7d11de7ae48c9d36fb5d7c54 |
| SHA1 | 49a27f6c8f8a8292ea8c215840bce60fda53188e |
| SHA256 | b37a769ad8b72e0f2a5642d188ed36e39e238bc2a03ca72deddaed14d6c75ccb |
| SHA512 | dd6d548b1e1fb61e714498187062b9b0fe094ffa96fc23ed4a41071cd7e6580a9a2c093a105c638e54e134b3c56002be05477ba22ed55acd7fde9f0a87a24c95 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | c04dc16f309eb7e34447d25ef71af733 |
| SHA1 | 5094928858bef28c5d69113cc9a67ba070b4c3cb |
| SHA256 | 7d7ffabe7fd2289d1a0ede208567fe1a9623094d6b4d4f5d76f1a2a9c7508615 |
| SHA512 | 00f92b74f62976e7670b8bc3127df8d357e55dbb63673252a0b5427d01529bbf2712949bc7555b916492340b7535afaba73c11ef74da9e744f300d2f48715569 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 756b5aeb068e97da616298860efdabe5 |
| SHA1 | af78037d6aa9c412756938f3231a983f1cdbaf79 |
| SHA256 | 7dbc60b61fa88a1968eff3708988ecf0f24842f0a9e633794156bd7386241c31 |
| SHA512 | 987ea48ec6b7f250e01be9002fccb47cb643a0194a0fa7e9b9c9298135a4cc5ed1f76414cb8f95abaa6cfebcd29e38d320b0f3ac484b4d912bba68df4a7aadf6 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 64a81ceb8870cf547096a7693f3db24f |
| SHA1 | 8e9fc9a7bb3a434d08624b47e403f294d336433c |
| SHA256 | 4dadb2abd08bb524a6d5f174816d0cdee26abfab313c2565a28053b488b1c665 |
| SHA512 | ffcad06611e5f6d609f05e22e8ac3129f0e1976b6d5391df8c09cc4587080b6b1e7a6d8183bdcec9b77f1482e2adf7e5e9f017204cbc1eef92b13e87ed18e82d |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | a8b1c4d239ffcc2b4374cbbd403df169 |
| SHA1 | 6008faf7a82eb4b36c38cd2e5f30b2e05cf64092 |
| SHA256 | 4861b4bb0e68970cd26340ece2e8a456a67665a6662cc88040adb48a3c39ed63 |
| SHA512 | 34da172ef6d3ab08511d999edf241ced9882f763366290c973dec5f9b9c9d258b6f45086dbd2f11fdaa22750d5c3e53b7d9166734dd88e8151ac5cf9ce6eddb8 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fbd612a1981680f61b14dcaccf7f6177 |
| SHA1 | ba8ffc40088f14167fd1da998257ccab2f262ead |
| SHA256 | 1af623bf913b01b4cda608a8a4b1a3af139c0e061052217c55efb7252204538b |
| SHA512 | 61f463901fa31c1b9177a37740312f6a3d6b437a2329f98734154731df5a97fa90f113fa8a482e34f0546da72463209353191634839b089dca5b627fea6f4a00 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | f5d75f26928666d5c22e55611185a42f |
| SHA1 | 80fac27b19e240988cbfb8204c911122687f1ee3 |
| SHA256 | 97149858ee695bb5203f2e42c7858379710644c578b6bcf0f1659e3631d1ef14 |
| SHA512 | 01cf8fc44a7ab761c707d5b6c3d4c73a79b8afc40667b84183a8930f7880b4e8da683c5ab34096125dbd9ac7a83cd51c92369a435150a38abe5e6a7cf1e9a663 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fa8a183d44d82873cbdb5f6ad4b91d2b |
| SHA1 | 997e17a1f32814bee0b802af135a0a294c3aa02e |
| SHA256 | 6c38775804eb1af118b0cfc6952f19ae2d372f647bf41776d520f4179092d3e9 |
| SHA512 | 557e8a2295d2dbc3cef3d490066e262ee8a5582eb2c2a1b733a15376bf43256218aa5fbe8d12a10750d45d04dc0adc5a1589b85e2eff0db5d28439627320b99f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 38f08ed7ffd3920fa65727e4114357d5 |
| SHA1 | 295cf4f1eb6cc4f5e2e0d48e713c1d9c20e5961e |
| SHA256 | f07075a24f36d02ef5fa726c1e2f1ef6df8e72d538ade162f0f5aeeb6c6cdbe7 |
| SHA512 | 680f0b93d42ec7cba9565a4b0587edf8c6b6c9c76d42fc5ccf1daf8ea97b26794400a83f776c635bd01774e671097411f513b373c5cac0c4d34bc7c779caf69f |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 016cc79b8a964ecc1fc54d4ef742922b |
| SHA1 | cf7e5277e6f7c7804f3e800810fa11275f3b53a5 |
| SHA256 | 7a7eb61d0ed7489b0b5a6a7a7ba4f462161b17b91c29d7b510a3ad04e1dfe816 |
| SHA512 | b63d9994310c183c6570d28e9fe1c74889868c59e0d12b5c9f20befc9727d4afb69f53cb374e939b5f16a273a63afb02e2f5d78d44561582d3c5420d3cc5e434 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | dc395163125efcf31ac0ed395cd155ac |
| SHA1 | c6f50cc98b981e9d1af06c6526b3e422f7c298bb |
| SHA256 | 0f3a9c337be9821f8c3a0ecad4df950a47cfaacb7a3a44d41d54408048c5c87d |
| SHA512 | c13f4403acfc910af287808fd21cd87301c206df53390bf484008c8e0f5fdff700fdff64f22480e3d6c3e8b058ec672df4f42b9078435857f0604e85aa07cd22 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\129b5755-0d2e-4e01-abac-f83d5cb1dc4a.tmp
| MD5 | ec64a4531a43c7c3fc9492b4db109bec |
| SHA1 | aa88fde26ad0b3601fe16be1ade951a509d04f61 |
| SHA256 | d3cee595db9e97d6d1866b7c563ad5f3b21b76eda00d85012e64c27a8e95810b |
| SHA512 | eb26d746d20281110e324d0667ed6f748bfe56bb15f218b3b9f04c67dc054b53b68fd64cf7d47de7ad1716e98f3fa591051b16c3872452dedfa94e1a5286ce33 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 85074154f807af2cf0a391a32ef15a15 |
| SHA1 | 7c1ce7824dace2b5592ac28ab0963427a260f15f |
| SHA256 | d1d2410eb9c4638f496a7ae351922d27a5de7ca82796340cbcff79d5f624a46f |
| SHA512 | 452c96eab3db7509d6c83dc71494949ae9b62df438e868141fcd201250ed803f46806c20a1097543903ae3a64ccf0d9832a533174ba23e683f92bf8e8ec845b5 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | d157802b60894b4de9ebef8c24abc9ca |
| SHA1 | c374d08bb894c99f00e27c565cf82d27efd24ee6 |
| SHA256 | 1ed8ba353a840c53713bb50840d59f0f5fd96862bc143ebf05ba278918e65e9c |
| SHA512 | 9d2ffb201d5b8a7136200cdae344d75c65dff039c8bfca4b8425e37ce361914633e7b4f1e6e7988dffec67da1f98f7e9229d3fbabd835d37a4161de89cee490c |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 182976aac9ccb9ac9ac522b3f93eeb64 |
| SHA1 | 34bc2f650a3d4a8ce388b31eef3b26adcd137cb2 |
| SHA256 | 0150bd83bf7c69acb0d22ca784783e82ac412684a58326e61ed8c65941c95d6f |
| SHA512 | bd1f63821e3f75d02dcee1607ec18f6110132d9b9dad176130c93d9b891103195f66058332d3c0257fe8ee47dfc15b5e8820badb70701a5cf584ff5a0c82eb0e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8c4f43f7647bac41a0b2798c6719667f |
| SHA1 | 7f5fdbf92a35c51c426508797b8a26f39efa6b34 |
| SHA256 | 81c140552be67e6b6f9d5c2bac96344caef83557d998073e7e693833539c6e5d |
| SHA512 | eb5249fb51861b5147d973726c4204ee353d952a346e623d589b3e9972d56f150a7dc8b9570613773cd207abef408efb54d9c40f0df905147b8c63111dbff443 |