Malware Analysis Report

2025-04-14 07:03

Sample ID 230723-wwfj3sgc3v
Target d1c4c493c171000d21ae122bc5d819ba.exe
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
Tags
redline logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5

Threat Level: Known bad

The file d1c4c493c171000d21ae122bc5d819ba.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) discovery infostealer spyware stealer persistence

RedLine

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 18:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 18:16

Reported

2023-07-23 18:18

Platform

win7-20230712-en

Max time kernel

47s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe"

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2284 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cl.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2560 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2560 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2560 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2560 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2560 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2560 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2560 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2284 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2284 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2284 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2284 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\SysWOW64\WerFault.exe
PID 2688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2688 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 1712 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 1712 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 1712 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1792 wrote to memory of 2456 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe

"C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe"

C:\Users\Admin\AppData\Local\Temp\cl.exe

"C:\Users\Admin\AppData\Local\Temp\cl.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 96

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=21338 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef69d9758,0x7fef69d9768,0x7fef69d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=808 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1236 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=21338 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1432 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=21338 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1876 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=21338 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2396 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=21338 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2544 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=21338 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1968 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=21338 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2740 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2592 --field-trial-handle=996,i,14325980146555514010,1476389709862181234,131072 --disable-features=PaintHolding /prefetch:8

Network

Country Destination Domain Proto
FR 149.202.8.114:26642 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
NL 142.251.36.2:443 googleads.g.doubleclick.net udp
NL 142.250.179.150:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
N/A 127.0.0.1:21338 tcp
N/A 127.0.0.1:21338 tcp
N/A 127.0.0.1:21338 tcp
N/A 127.0.0.1:21338 tcp

Files

memory/2560-55-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2560-56-0x0000000003FA0000-0x0000000003FD8000-memory.dmp

memory/2560-58-0x00000000041C0000-0x0000000004200000-memory.dmp

memory/2560-59-0x0000000000220000-0x000000000025F000-memory.dmp

memory/2560-57-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2560-60-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2560-61-0x00000000041C0000-0x0000000004200000-memory.dmp

memory/2560-62-0x0000000004110000-0x0000000004144000-memory.dmp

memory/2560-63-0x0000000003FF0000-0x0000000003FF6000-memory.dmp

memory/2560-64-0x00000000041C0000-0x0000000004200000-memory.dmp

memory/2560-65-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2560-67-0x00000000041C0000-0x0000000004200000-memory.dmp

memory/2560-68-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2560-69-0x00000000041C0000-0x0000000004200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB656.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarB6F5.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ec0fae88a845489e727ca40ae97957d
SHA1 89c311fb0afe388e883ab8fc6ff5967e10e00cf3
SHA256 39ac1bad01c9861c09738ac24ccb477c56c21e65bf0a19aac7f223128c2712aa
SHA512 b8490242f938f66545f4f91df04ddd969d419292a7b27113c3c2d6ac4d7c537812206a0cb9308e9992cb29e18732e9dd262446f9e9213acde2a81d18069ddb84

C:\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

C:\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

memory/2560-150-0x000000000E4D0000-0x000000000E7E8000-memory.dmp

memory/2284-151-0x00000000011B0000-0x00000000014C8000-memory.dmp

memory/2284-155-0x00000000011B0000-0x00000000014C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 bd96d6a5d12c775371eb3fcc5d09575d
SHA1 ffc55ae0ed01117e8508610a637cb6e1cec18393
SHA256 fa5a6abc71582301982aa82960ca369ada9f85f1c3ac3f4246bb1534730a62cf
SHA512 bfc1b258aae8b25abc5c53dce7b35d395b83783cc5fcf811da0b5bc130fda6bbe0fda2aa80751456e8b716200c67a15b1102b7a4a0b9c56355b01da33f5c05fc

memory/2560-156-0x000000000E4D0000-0x000000000E7E8000-memory.dmp

memory/1732-159-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1732-160-0x0000000000400000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 bd96d6a5d12c775371eb3fcc5d09575d
SHA1 ffc55ae0ed01117e8508610a637cb6e1cec18393
SHA256 fa5a6abc71582301982aa82960ca369ada9f85f1c3ac3f4246bb1534730a62cf
SHA512 bfc1b258aae8b25abc5c53dce7b35d395b83783cc5fcf811da0b5bc130fda6bbe0fda2aa80751456e8b716200c67a15b1102b7a4a0b9c56355b01da33f5c05fc

memory/2688-166-0x0000000000520000-0x0000000000590000-memory.dmp

memory/1732-170-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1732-172-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2560-169-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2688-181-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-180-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2560-179-0x0000000074240000-0x000000007492E000-memory.dmp

\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

memory/2688-176-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-175-0x00000000029B0000-0x0000000002A1C000-memory.dmp

memory/2560-174-0x0000000002560000-0x0000000002660000-memory.dmp

memory/1732-183-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2688-184-0x0000000005470000-0x0000000005522000-memory.dmp

memory/2688-182-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-173-0x0000000074240000-0x000000007492E000-memory.dmp

memory/1732-190-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-189-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-188-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-192-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-191-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-187-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-186-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-185-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-193-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-198-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-250-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

memory/1732-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-251-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-253-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-261-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-263-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/1732-264-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-262-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1732-266-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Local State

MD5 d0578b1921421edbe78555a48503f1e2
SHA1 6160973d5589bd62be0cc791d244f5ddbf859db9
SHA256 52a8bc9ca87e0aa956d1ce011464dcc22e4b6faaf415b386694ace066fba59ec
SHA512 0b202acf06caef894487c0757e9bebc4f3cd63e55316ef3dadb1e37e88b4061bc27481b9e333f1dc5a3a43059dba8dc3b522defe69a6ae6adee75cb7e18ce5ec

\??\pipe\crashpad_1792_KPNPGVRYTCSNGCHR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Local Storage\leveldb\LOG

MD5 bdfa05cb338de307a278d11c709db5db
SHA1 3f7ceaf808cefcd0404b5ad90902ba562ac04f69
SHA256 759dce948753d1dbc8fea406a95947ecbd78d2ae7599b3764ad7154b30c92e70
SHA512 3eefdad7e0b9b43f07fec8df6fbce4d8b3a4eec7d29b9b8d3d98a561cfa828ebd91492251500d073c223a61e3714c49681b6fe41a1e2c2e32edddd55b157596c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Local Storage\leveldb\LOG.old

MD5 988514fc923d5b8040299ac3a531d24f
SHA1 c998e4171741dcc35f992ba638df1919a2432aef
SHA256 6784fa9f8ca570fde0a41b80513f7b612f6d7729a34cb9f921c9b16ba17f8043
SHA512 34362494a11d96de17e943353d25b7bf0c16a470a588028caa868ae1a2ce3add4d9b2430445266b527fd316c390cee58cd128392f89e95a4545e5d9ee2370c46

memory/2688-311-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2688-312-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-313-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-314-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2688-316-0x0000000000860000-0x00000000008A2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Session Storage\CURRENT~RFf7712c6.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\67ccc7d2-ad14-412b-923a-01d38d929920\index-dir\temp-index

MD5 d3550d8703c9a42a403b5d64aeeaaef3
SHA1 89a296b5f23c6278c7056c2d9872d80b421abf2c
SHA256 9ce03be132de8d6e1745f1d8d3eaa97c902cac1ae1efbf17f52f39c6fc3c8bd9
SHA512 db6ee22cc7c7917e3d21bdc95110df8f059265a7eddc3817da9f799805d22bb44057741047423a9bb8c8982388bd8090467f0cdc210efe352681003bf21b3be6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\67ccc7d2-ad14-412b-923a-01d38d929920\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ca7d1d002e805c3044db70bb63007bef
SHA1 43afbfcac046b6ea0531dbbf8084903b90d5af45
SHA256 0e9401afbd0610d23c1c086df92c8cdf0c3fc0c75e1ef5e35221ac43a31a957b
SHA512 646210c077730b40a924a12bc9b8da47788c4ae715c2406e68ff610357baa08a3d1a92cb5963297eb829d86921e16fb91fd15a1d18f9ccdf7f34bfc1c292bf8a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c4714e6128892388f328f232836c1afd
SHA1 b2b22b1f77a236906b9045ab451d912af8672380
SHA256 b6ce630443721459a1b12bc61f2e4a764939480ee2ff19ede1a58ec3f85f8d7f
SHA512 30ee77f26a8fb5e588c2a34c03cdf50a25b39b7e3ec07d44242db3181f55885a3f302d329bab86c769e48d75ac1724e6fba01c00b35f87a8fcc5e4a693c7d714

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Crashpad\settings.dat

MD5 9bf876547d2197e9a7e8f87969ed3e65
SHA1 c9ae4da5502009ac470ad765314d9182dc84d4ae
SHA256 b7559c23f6dad6fd879956cc80a0b2732aa51268e8c1f0c5d19e242bbef623c0
SHA512 113d89d183c1ac68419bbbc9c23186091a52562dc906fead2c04af200a8138ce001419b9d17fdd4a224de788477a3718b0675efd9ccb54eb1e2d121449b79afd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\DevToolsActivePort

MD5 5aa76c383f8f30c71bda6acd3b3dd84a
SHA1 51d31c06832447f83667dc4260d8069014216b4f
SHA256 33c9621de8bec6a6efc9e46a15b4d3d8e1d76c1abe7ed00bc9cf1edf4e0d20ed
SHA512 32add88b6972dfec34790f23133564cd2e2953c8c1a774cf5aefc7479d91512db85238e92016acf0fd1d4f6b9eba6be083d805e02a6ad9ff3f87061608a9c094

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000e

MD5 371bfce5375c6d9c893dd2b41d496d6d
SHA1 062c32d6568d4bb97214f50024d8d0b74a3548ee
SHA256 0cf8b5de70b5f94a58cc47037e83bd028fe1e63fba98e0e68fafa923db69bd82
SHA512 676f135355b8e2bd83926dbe484c5e50b251136558b8fab78518e278d0bb34d3235a14df9ca2a611f79e8ec8ab4cd314dd4bce779d402ee3f22ef1309be20f80

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\d1c183a914451aa4_0

MD5 78c32e622e946a64745caf1cf81b56bf
SHA1 bf359a63a995980e6808a97bfc78355fd10cddb4
SHA256 736e60659424122ec29bb01371e0d042cde8238033b05e86dcbaef937a2540ba
SHA512 75a8df19638ddb99881cb023c068310efe4cc53c66ed6a66b45e38c6b99aba7220bc0d1d66ed8c2aa52939ad7db37752842750fa7ff0d4c81ad45f576dd15111

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\ca0b3d7cee8a392f_0

MD5 cc4459a9693d122ad43db95aedd74eed
SHA1 8df0ad755e380aa4f8519482333eeac7bb410925
SHA256 479689576d3003669ec21d625585a4d6dd9cd72d0ae30cd5536b5ea5542a9da4
SHA512 5ffe0b6efbe4da815f683f125b520ee847f10216b468649069c0c4c0b0e1fdd771e38fca3a2945044a5511ae8d6d297220aa9d86325a8fc17a9244d74791e742

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\c4f657922bb6a9fa_0

MD5 d8c1e68fac1b09146817c8c30ac371d0
SHA1 f4472b719a168f5aa810b6cef0d683f350650d2f
SHA256 2ab050108cbf4c15621e791436e22966337166d5cbf0b7dc3b2903f465771356
SHA512 4205251a600a34c65fe6d784840a73d1cf236964e09a26f84af5bc1e08737cc7fc6c347c0a3f1943ea1a9fb51b31f990a703919f37dad1bc8db445fa173af757

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\a31a0c9902b6350e_0

MD5 0f38caf99842e4047f672438f54f1167
SHA1 410b77d06ede3495696e501cda77befa9981953f
SHA256 6a085b0d5c53c22c3080410f638a237725f10b16407b7b181e13b6febe81d5a6
SHA512 4390629a3e86b60788f455d6bf2ca471a2b00db6f485e723cf4733a154930f069792866bdc2fbeabfb7304c484486c87df8830f81037f6e9e007e619859ec638

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\9802cb9f795af689_0

MD5 21ae57a5ee914fdca85a681b88ddc927
SHA1 93c5013aee20b943570f67213aac85925e0ce325
SHA256 5db54d2255c4856403839b58b7e04a263fb21edfff536a00303159cd96e2721f
SHA512 aed4f3205018b276bb430b1243aefc1a5faff176e14a9b164b0fe33a0f4bb4adbd7ccd0180a4e7a6568f0061f340a673b455308df713781897c5b83d337a4718

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\95be2ea5575a548f_0

MD5 eac0a19e15b599b7614b3b051e3dd130
SHA1 4cada3115a0562c6b43cc718d001f928a7738c43
SHA256 aeedb42494980d68fa7ee7c390c4bef2fadcae2a572e9b49f0705353d78a455c
SHA512 5c66d4f0e2534685350c925f15910a01b6d36495079b0cfaf41a0268a8bab6a1f117441e5a42257c3be4030500a6d51c1a539c0fd36765642a2f5a2c28c6fdd0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\8f9926da7e0a5365_0

MD5 9c97475b53755e5a6bab3480f3bb976e
SHA1 a4737662215941651959ec5fe3c8f7ba73ae245d
SHA256 3c09a2fdd295ca39879d2023b27dff919f9b23b45b7edad5c85420bb4eeb7aec
SHA512 51fd0c004f0e663713465729bc822842e4f7c1d8b47244994da66ae2484c0df5a379d8d4997f60cb94778f8efea22492bcc6687f14da47ec8a560eab4ed789e5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\873a90ed433c1ef6_0

MD5 8d63d4cba20fe5a1e5c37e0624e6d90d
SHA1 d84b05993a813bd48b8d70170a0213e83776eb45
SHA256 1e5621b5db5efbb471d32cb3e858e723711b267bad4c087299d8c287d50ef47a
SHA512 b936ba6f803612467a91e64ea0d47a9aa08729c8393c08d2fd9f1ae97b3e9e3d2aab75aff03c4b7dbd020619f400266d5508531fa2e75a84216ed8533139d821

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\635b51bf4e918cda_0

MD5 fa8316658fe4d33bf9edee6ad364832b
SHA1 878b0f5a422c43c211582ab5909cb8314ba71b60
SHA256 364176e60094ddf9c4123be1735ef016aa52a3624d4f15bbfdc259f02f41d484
SHA512 32da09e12b56753a89976112c3b0cd4e0b8afb74d16a056200e460cbce0da211fce5bf3b08c1e30d26c06064f90803bbda75a066094c7f517b37e8c5a145cc9a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\5ca6783985481467_0

MD5 0fb5926f6f1936a4ea2e2a535e251fc0
SHA1 ff7ed1b5663d2d2faac805e665af35f4a387b778
SHA256 960080a8c2f0b765fd248a2c67801296b13cde0196516efe5621006b4bb2ff81
SHA512 1a0773c49752ade9a407e3f281aca0ef70443de641f87d2f69171aa9aef2cf9eb85d61991907615d9101df8c4b622b108846619d23bcaab0e406b248c9c419eb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\549b82506abc42a0_0

MD5 f0f4667aa679f4a89c5ae2d86cde65fa
SHA1 0d404028cf0166dbc268fb4c5bc635ad577a53a0
SHA256 a344b876ee0cbeeda77b97b504b677e3a657a47d1c0646814dc2babe3149ab0a
SHA512 dca5c3bd6236066b903f53b7a36892685c1cc1725e8d63cd73b8c075ae6e0b8853f1b795642ecddf67bea9be4b37198d34a0824ee40e25cf2496fd209c0151c8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\4fba678d698bde28_0

MD5 56e06a0afb9ccfd11105908a4d91c23d
SHA1 d7503cf595eb5baca9144d533842f6b1a78a12f6
SHA256 33cb42ccfa5780fff574353a0bc837da6d1c0561766b9ccfe1103ae8b2bfa77f
SHA512 f79cf4f47a0bc3e435c83ec0706924b7e2d1b448307f06c0686bc7f82bd9708854c9f98f4726630b4ccc91ad5666c0a304e2689d8d01105d4926ddca2a37074a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\45d77edb8130b2cb_0

MD5 1a69d3c64d2ff4ae6c599e046736fd6a
SHA1 379dde5480629e648c12c204f3508426599cdd5b
SHA256 627b31d27473a622b2196ff32fc1b60c99c5fbd2d6b19070cd0078aadca41e4b
SHA512 3baaff4ac047a1e2f1c20cdc8ef1b06eee3c5e28607c9f0fddafa72960d13e830b20f6a8640dd2cb0de3f82a95530802b123fc341dd8f271359742ac17058e63

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\425107fcd2c23b92_0

MD5 7c7776370a4369c69d1e283a42f2939a
SHA1 488c9f2ae036ec9cbac46aec60418a6cf0dc9d56
SHA256 85f3fb96c0dea6cb2aec27b8b51da47ff34be7b34974c13554a6ed34e4801ac4
SHA512 f13238120416a7627586307842179488d75999cc7344514cb975a2fa8dd4b4685ca098b79e6e414984c7c29dd17d5b5b37b67982c22a9fc0da8561c3fe2637ec

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\3b250ad22f3c0663_0

MD5 b933f185a4e970a708217fece1a19834
SHA1 6e27f74fa7bbeae6f2b9904f8057e3722f577e80
SHA256 dd45c0f89ea7f275254cfc0cba497fe9bd6be690addde2d00b9a4436a35b7620
SHA512 68d592fd98772493c3bd9b65c8928e8228cff5189430ef249c8202f423d11ad56fc25fb4522e4685913c3e3dd1cf76dbc60e4b7b1897ee5d2500f1ea8df928c5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\1c6099e140a2d1a2_0

MD5 e8204396e75b7ec0d572c50dfba3a047
SHA1 db6a41510fea168732ca0a35e86de6f631eec19c
SHA256 20b42005ccb224f1185bedfbf82887bd0ad3cd3abf7510f16f770b1765049f52
SHA512 3026c3fc3304fb895bff143f43d3d1aa03b0e93b0e20598fc3e12b24f75df33cc43e978672e576a6686028fecd917bd0b082a55a16eb49127a7f085cac876fb7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\1887633246b0d246_0

MD5 1a17b08b643ce0526be68047cece8cee
SHA1 3ad2d2a2dcad81fb3a6962a4c3c5283781da7a32
SHA256 2e0f52f4cfc0d84b0059b64ea14cff2e56af8a69a42c71ba2ba3bfb1515c6cc0
SHA512 a8d18a393bf60c7335553d9d4ce0c93919493bdf1170365f9e94159720422a91fc870f3f7e298d235d1649bb36a794a7c2da09f125564025144df4fe40e4a7db

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Code Cache\js\0ff3794e01c673f1_0

MD5 04a0b72877c68cdbeaca8cdeec68c6c2
SHA1 50ee91292133488e79f9576930730a0b3b91102f
SHA256 698dcd865adac4b770d5801113fb3ddbf3828e83913921d66b4141afee1e834d
SHA512 642e3aac9f8a24c1047b2a6e3f1748de6b5dac52c491f9248945864d291950f5a8f7413de32577bf374848158dc3aa882cf52f8ba1d62d952cfc40c527ba10df

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000012

MD5 f834a8482f7e5e51dea9f374e49c0dae
SHA1 866fa944e0dfba57333f3a0c4329784f3f970745
SHA256 a703aa7dc477be6e5dcc3a171b278107252ede4d626f42af09c4ad542392d8f0
SHA512 cf9d5b4c72c5bcebe272b17c74882de25886c604566e69657041ba15c827de030ed7f929af179c62c54f1cf7804fd66ec1c9937397882cd52bec738f959ba768

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000011

MD5 9b98bb2e71cde935692d79709aa2fbe1
SHA1 ed9f1450692f11cff9195641824d898a72c974f0
SHA256 cfdc2eb965df8147f80412bd383d77d90df6c5a92546cc9b5a0b9cf64470f771
SHA512 0c98114d6e8f4aee2d33ea8ec52a108382db044ac0449e199bb35b7c73eb084e8aa923c9c33f2992070e32153e36baeefb3b39359d3d29b10c2745de77948eaf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000010

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000f

MD5 a8d7a67a55dd3b809f2cfcfc2fa02e73
SHA1 0eb01ad5ddf0673a7a1ceb0db7cc841fd4286d40
SHA256 60079fba88cc9e0cfc075af790e81af5274c2afe125b562a26c1991d85a55e94
SHA512 55dc19a19f0eeed2cf4c9e1756b0f8019d7c7b4cdaa2bdd49b16ad2790211df86517f4637a53ecf8118800ad57fb0366e08246d35acb7df4854293115d5ff365

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000d

MD5 4e96db351538d4169bf9b8e46997036a
SHA1 564e83facf1f42b333d0a244e1d89eea5f2f8557
SHA256 ad14c57852be3c18422b078d69ec21d4112d19c6bf26e3c29184fb4c590ce7a8
SHA512 3566dc085f5c7ee75b5a0e7e6ecab4a9391b75c6220fee271faa1a0dcf48396ea685107d9e47370a9b78713f96a73d5002c797a337580df78a303a57a6159581

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000c

MD5 e6e58e646155c64d0979266659498161
SHA1 92b701a1e765bd112d080697989a1b476aa25c70
SHA256 0065cac7dda667b841023bd88d4c859cb16d58fe8aa820459bb18f16c0875f55
SHA512 f331b8178c6ef121ec6762443eb5d15779a9bebf6437454d9823d083bdd329159c58ce3bd01630447647f0f6d25ccd82e2a4f1bf6aa779bcf3c10a47a28d11c3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_00000a

MD5 e4eb7c013b1edb9e96b21dc67856e9db
SHA1 dedac7aa64c25a94633e4886750f89b7afffdab1
SHA256 1c2091bd6f98a97b7735c01fdf2e60024349f429f9f8e1507196fe7866283327
SHA512 7f31f69ae6ee5f9f062e2b2e89065dc73a0f3db661328f843bd7231855e4da36543190de3179517d622928620afacfd6999c42f1a64f6aaca03197eb52dc427f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000008

MD5 4802e056e4e9c6bcc94fa2a41f1e3b66
SHA1 a04e6b0ad535696639d72222a4e45f9819731bb6
SHA256 1e5239610d4a030abb06debaf2d683c5605ca458964b556fd11c40596ac5dc32
SHA512 30ebab374b92116a8ea9095329c50e8463e0107d1c45ecd5e4966ff627e6957fa282df2eeeb49f7c2d3fb75ab2a84cf2cea81c909f95206a653a04071ed55e79

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000007

MD5 8877fbc3201048f22d98ad32e400ca4a
SHA1 993343bbecb3479a01a76d4bd3594d5b73a129bd
SHA256 22f8221159c3f919338da3a842d9a50171ddc5ac805be6239bd63e0db78046af
SHA512 3dfb36cd2d15347eaa3c7ae29bfa6aa61638e9739174f0559a3a0c676108ccc1a6028f58dad093d6b90cac72b4468eb1d88b6414339555c9f872a5638271d9c9

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000006

MD5 c8c8aad6d0abda9082019bbe2e05f315
SHA1 9a8ebe9d357fb618cbf6926ecfd39ea73789cdc9
SHA256 5db97a6de434e460230ada9671f894658aa4b10593fa20c51788596d26cb670b
SHA512 672cc6dabe3125b84b59c6283f115a467fea99a37e52daac3c0a364efde0548ce3f4c39037ecca4ee3c828ea4b7671b81b2c35473563202e1df7cd2ab570fc3d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000005

MD5 22b41bb4ab4238142ce586f7994be786
SHA1 bdd83d9ca702353a9cc7218e95d2ead1d3219d34
SHA256 8682d67abc613bd209cb92e6785d090eabd8018d2acb90d4a04f86f23240216e
SHA512 14290e01d9abc9b09214e8f1e221895b8d95ca4dcf76bfd17b6ec2333091d67737577ba920661c0f50eef5a37dd95b01f74ff58a13c3e0901bf9492043413459

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000004

MD5 c1929facaf526593dc250b9c2ab07894
SHA1 b44dd7415797b497e73cb1327303fb1a904ca0be
SHA256 d5bb92e77b1808b34222e8fec36188fb24ebcdef13c3bbf1c3ef33e8a8552eac
SHA512 b6d89d5942e5d2245fe63cb2f0091d0e9c67c168afd62b475aebb1e45666190cc6d5f6d5953fa694446ded66f476a3ca141de58044804b0732e9170453096230

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000003

MD5 d5961c113e4ed66ac4732ff9d06bb1fa
SHA1 92129a20f1d4f2ccfb7ad28a544318482a0da639
SHA256 a83d9beb17c0549cd11d672dcd6d1340879d23f8c5b3d184f1fba8a883918c7f
SHA512 2a9ec785c1435d8d46ac803ac54d00b6798d1df2c08ecf95759d5aae5168be2a17396ce15b47bc862bb54082689f4fa726815de07918bacb23e832fc16f13650

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\Cache\Cache_Data\f_000002

MD5 40cd564ceca4af493c28ae1ae908c579
SHA1 5543e92bb72cfdde555a204c7b7b9ed8cd2db847
SHA256 a0dc42c27af419e1e16cde876eb1d0ec1efa8a440e4cbcb14ea8f12c1e6e1c80
SHA512 57deeaa8366a9c3050513bfc5d5a8f9703122a982e08da954e8b67e3c5cc4aa1d023bc7c1c4c1fa5c7e65dc7cda7eb7c661c1496a735be833f3e8b946ff483d3

memory/2688-621-0x0000000074240000-0x000000007492E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUA81N\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 18:16

Reported

2023-07-23 18:18

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4376 set thread context of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 2880 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe C:\Users\Admin\AppData\Local\Temp\cl.exe
PID 4376 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4376 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4376 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4376 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4376 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\cl.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 908 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 3224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 3224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 3224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe
PID 908 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe

"C:\Users\Admin\AppData\Local\Temp\d1c4c493c171000d21ae122bc5d819ba.exe"

C:\Users\Admin\AppData\Local\Temp\cl.exe

"C:\Users\Admin\AppData\Local\Temp\cl.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2880 -ip 2880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#ybjpudvhanaikxy#> powershell <#ybjpudvhanaikxy#> -Verb <#ybjpudvhanaikxy#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:06 /f /tn TaskManagerCheckUpdate_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:06 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 149.202.8.114:26642 tcp
US 8.8.8.8:53 114.8.202.149.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 173.223.117.131:80 www.microsoft.com tcp
NL 173.223.117.131:443 www.microsoft.com tcp
US 8.8.8.8:53 131.117.223.173.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 185.149.146.118:80 tcp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:80 pastebin.com tcp
US 104.20.67.143:443 pastebin.com tcp
RU 185.228.234.30:80 185.228.234.30 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 30.234.228.185.in-addr.arpa udp
US 8.8.8.8:53 200.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2880-134-0x00000000027C0000-0x00000000028C0000-memory.dmp

memory/2880-135-0x0000000002700000-0x000000000273F000-memory.dmp

memory/2880-136-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2880-137-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-138-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2880-140-0x0000000006CC0000-0x0000000007264000-memory.dmp

memory/2880-139-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-141-0x0000000007370000-0x0000000007988000-memory.dmp

memory/2880-142-0x0000000007990000-0x0000000007A9A000-memory.dmp

memory/2880-144-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-143-0x0000000007AB0000-0x0000000007AC2000-memory.dmp

memory/2880-145-0x0000000007AD0000-0x0000000007B0C000-memory.dmp

memory/2880-146-0x00000000027C0000-0x00000000028C0000-memory.dmp

memory/2880-147-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2880-148-0x0000000002700000-0x000000000273F000-memory.dmp

memory/2880-149-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-150-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/2880-151-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-152-0x0000000007DD0000-0x0000000007E46000-memory.dmp

memory/2880-153-0x0000000007E50000-0x0000000007EE2000-memory.dmp

memory/2880-154-0x0000000007EF0000-0x0000000007F56000-memory.dmp

memory/2880-155-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

memory/2880-156-0x0000000008A30000-0x0000000008BF2000-memory.dmp

memory/2880-157-0x0000000008C10000-0x000000000913C000-memory.dmp

memory/2880-158-0x00000000096F0000-0x0000000009740000-memory.dmp

memory/2880-159-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

C:\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

memory/4376-168-0x00000000007A0000-0x0000000000AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cl.exe

MD5 79982cf6836eebddfc2aa3e773f54f38
SHA1 50b22589ab2def3cdaaedcd0b775b5bbc705b119
SHA256 c734d9e260a93250d5f6a81fd6a2fd7eb30ac20ea1ac2ec0032767cced2107bc
SHA512 7427e665887f35db7fc8f28743ca7b65c646151ded8214cfcc2eaf14cbd6bfdfd0598c236c1ea1536f0ccead25d0485ab8dee54d353d10109ab01f3391a171e2

memory/4376-172-0x00000000007A0000-0x0000000000AB8000-memory.dmp

memory/908-171-0x0000000000400000-0x0000000000527000-memory.dmp

memory/908-179-0x0000000000400000-0x0000000000527000-memory.dmp

memory/908-181-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-180-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-183-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-182-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-184-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-186-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-188-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-187-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-189-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/2880-185-0x0000000000400000-0x0000000002485000-memory.dmp

memory/908-190-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-191-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-192-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-193-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-194-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-195-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-196-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-197-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-198-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-199-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/2880-201-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/908-200-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-204-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-203-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-205-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-202-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-206-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-207-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-209-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-208-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-210-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-211-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-212-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-213-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-214-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-215-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-216-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-217-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-218-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-219-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-221-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-222-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-223-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-224-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-226-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-225-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-220-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-227-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-228-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-229-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-230-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-231-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-232-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-233-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-234-0x00000000FEFA0000-0x00000000FEFB0000-memory.dmp

memory/908-246-0x00000000771D2000-0x00000000771D3000-memory.dmp

memory/2276-339-0x0000000005240000-0x0000000005276000-memory.dmp

memory/2276-341-0x0000000073250000-0x0000000073A00000-memory.dmp

memory/2276-344-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/2276-347-0x00000000058B0000-0x0000000005ED8000-memory.dmp

memory/2276-345-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/2276-349-0x0000000005830000-0x0000000005852000-memory.dmp

memory/2276-351-0x0000000006110000-0x0000000006176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsacm2dy.03v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2276-360-0x0000000006810000-0x000000000682E000-memory.dmp

memory/2276-361-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/2276-362-0x0000000006D80000-0x0000000006E16000-memory.dmp

memory/2276-363-0x0000000006D10000-0x0000000006D2A000-memory.dmp

memory/2276-364-0x00000000079E0000-0x0000000007A02000-memory.dmp

memory/2276-367-0x0000000073250000-0x0000000073A00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/384-369-0x0000000073250000-0x0000000073A00000-memory.dmp

memory/384-370-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/384-371-0x0000000004B40000-0x0000000004B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb9dcf5f75996490e183b5af5eb84c8f
SHA1 7800ec3c5ba445abf4141271511cdc5d0d58fc27
SHA256 e030cc632420ca75893a36e874a6d48845fbeb0f9e965d76e83700e23a19cb81
SHA512 d3174af069a0e6bc4c17139d8b27f339c367d6cdc7c12486eb360b5b07af149b3c442d233090ab8e159b5be07eb57f3721f24b009c970107e45dddd8db7e7568

memory/384-382-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/384-383-0x00000000070E0000-0x0000000007112000-memory.dmp

memory/384-384-0x000000006FB40000-0x000000006FB8C000-memory.dmp

memory/384-394-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/384-395-0x0000000007AB0000-0x000000000812A000-memory.dmp

memory/384-396-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/384-397-0x0000000007690000-0x000000000769E000-memory.dmp

memory/384-398-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/384-399-0x0000000007770000-0x0000000007778000-memory.dmp

memory/384-401-0x0000000073250000-0x0000000073A00000-memory.dmp

memory/720-411-0x0000000073250000-0x0000000073A00000-memory.dmp

memory/720-413-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/720-414-0x00000000054B0000-0x00000000054C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9a17f75d61d62dfa8ea396945216330
SHA1 ba22584db0ca9865814aed80795f3089c084eeae
SHA256 80bb60b35ac4bba2afe0e84b2a020d8ed1258bae1bdd6f24f1e38eb0807f672d
SHA512 c68e6165a61a8a2feecc38bd5352909abb844ad8076c23b6cf500da161dbd492e2a9546939aff130ac470a3a449075db09dffc537e59523355a111b8715245c8

memory/720-430-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/720-431-0x00000000730A0000-0x00000000730EC000-memory.dmp

memory/720-442-0x0000000073250000-0x0000000073A00000-memory.dmp