Malware Analysis Report

2024-10-19 01:10

Sample ID 230801-zdj2bscb2z
Target 1d3e10adc7685d83f72d99f44fe63a27.exe
SHA256 747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369
Tags
280723_red_fox redline amadey laplas clipper evasion infostealer spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747a43c82c4a13158da7adc6634bae72b5b7aafcd9214cbd2694bf5d60999369

Threat Level: Known bad

The file 1d3e10adc7685d83f72d99f44fe63a27.exe was found to be: Known bad.

Malicious Activity Summary

280723_red_fox redline amadey laplas clipper evasion infostealer spyware stealer themida trojan

RedLine payload

Amadey

Redline family

RedLine

Laplas Clipper

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Themida packer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-01 20:36

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 20:36

Reported

2023-08-01 20:38

Platform

win7-20230712-en

Max time kernel

84s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Laplas Clipper

stealer clipper laplas

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40e3b2feb7c4d901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe
PID 2064 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe
PID 2064 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmask.exe
PID 2064 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmask.exe
PID 2064 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmask.exe
PID 2064 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe C:\Users\Admin\AppData\Local\Temp\taskmask.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 2724 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\taskmask.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 3000 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
PID 2792 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1756 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe

"C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe"

C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe

"C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe"

C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\taskmask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 36

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\eb0f58bce7" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 36

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\taskeng.exe

taskeng.exe {D77A7FD4-DB34-46C9-BED2-D5EC274F37CE} S-1-5-21-2969888527-3102471180-2307688834-1000:YKQDESCX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {922B2855-E373-4511-9EEB-488708851280} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Network

Country Destination Domain Proto
NL 85.209.3.10:11615 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 second.amadgood.com udp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 45.15.156.208:80 45.15.156.208 tcp
NL 194.180.49.153:80 194.180.49.153 tcp
SG 128.199.192.86:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 206.189.229.43:80 206.189.229.43 tcp

Files

memory/2064-54-0x0000000000CE0000-0x0000000000D10000-memory.dmp

memory/2064-55-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2064-56-0x00000000003C0000-0x00000000003C6000-memory.dmp

memory/2064-57-0x0000000000C80000-0x0000000000CC0000-memory.dmp

memory/2064-58-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2064-59-0x0000000000C80000-0x0000000000CC0000-memory.dmp

\Users\Admin\AppData\Local\Temp\taskmaskamd.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\taskmaskamd.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3000-67-0x0000000000FF0000-0x0000000001A91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Users\Admin\AppData\Local\Temp\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/3000-73-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2064-78-0x00000000086C0000-0x000000000950A000-memory.dmp

memory/3000-77-0x0000000000090000-0x0000000000091000-memory.dmp

memory/3000-80-0x0000000000090000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

C:\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/3000-82-0x0000000000FF0000-0x0000000001A91000-memory.dmp

memory/2064-93-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2828-91-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2828-81-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2280-96-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2724-95-0x0000000001040000-0x00000000011FF000-memory.dmp

memory/2280-94-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2828-102-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2280-100-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3000-104-0x0000000077300000-0x0000000077301000-memory.dmp

\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/2280-107-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2828-103-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2280-109-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2828-108-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2828-110-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2828-111-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2280-112-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2280-113-0x00000000074A0000-0x00000000074E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3000-116-0x0000000000550000-0x0000000000551000-memory.dmp

memory/2828-115-0x000000013F5B0000-0x00000001403FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

memory/3000-125-0x0000000000FF0000-0x0000000001A91000-memory.dmp

memory/2828-126-0x000000013F5B0000-0x00000001403FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/2792-129-0x0000000000EE0000-0x0000000001981000-memory.dmp

memory/2792-134-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2792-132-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2828-130-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2280-138-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2280-140-0x00000000074A0000-0x00000000074E0000-memory.dmp

memory/2792-139-0x0000000077300000-0x0000000077301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969888527310

MD5 a6c35706374d534e65596cd97d62809b
SHA1 f9e0d47b28ace546d46f8c9a3fad48598b5d351f
SHA256 7209789859a933407aacaa11a6831d83ba3b3a1e378784081e081ae211cec84b
SHA512 724f93c210e47e4ca502e4dea695a424d29d7eaf39394242338044169877386983b708ec54e4a45eb4bc68f4b758b5cae58da6b8ad9c9a156a008ec216744690

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/2792-171-0x0000000000EE0000-0x0000000001981000-memory.dmp

memory/2792-177-0x0000000000EE0000-0x0000000001981000-memory.dmp

memory/1868-180-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/1868-182-0x0000000002350000-0x0000000002358000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe

MD5 f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA1 6ed43db5ba58257c1283abfa8a08290ccf896033
SHA256 67cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA512 6e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5

memory/1868-191-0x0000000002644000-0x0000000002647000-memory.dmp

memory/1868-194-0x0000000002640000-0x00000000026C0000-memory.dmp

memory/1868-193-0x0000000002640000-0x00000000026C0000-memory.dmp

memory/1868-192-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2304-195-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/756-197-0x0000000000D90000-0x0000000000F4F000-memory.dmp

memory/2304-196-0x0000000007220000-0x0000000007260000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 46d637c8a957fbeed66ba295a7f18d0e
SHA1 f1f9e92c98bb7706d082dd79d86c1be4c64256f2
SHA256 817053878d8f66e26f4336fe8ff2999d2400b43967fff8d4cd118eb3d8043625
SHA512 4c9d05d54b6f272e5718b790beecc2be6b6f09e6d634755608e71267a575048b685c477cd8c2f8099f27cf0be6ba1ce5f24d2184bcb8b97bea999aee236ebc18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DOJK124HP93VVSW757ZW.temp

MD5 46d637c8a957fbeed66ba295a7f18d0e
SHA1 f1f9e92c98bb7706d082dd79d86c1be4c64256f2
SHA256 817053878d8f66e26f4336fe8ff2999d2400b43967fff8d4cd118eb3d8043625
SHA512 4c9d05d54b6f272e5718b790beecc2be6b6f09e6d634755608e71267a575048b685c477cd8c2f8099f27cf0be6ba1ce5f24d2184bcb8b97bea999aee236ebc18

memory/2956-205-0x000000001B130000-0x000000001B412000-memory.dmp

memory/2956-206-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2828-204-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2956-207-0x000007FEF4870000-0x000007FEF520D000-memory.dmp

memory/2956-208-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2956-209-0x000007FEF4870000-0x000007FEF520D000-memory.dmp

memory/2956-210-0x0000000002820000-0x00000000028A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2956-220-0x0000000002820000-0x00000000028A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2792-226-0x0000000004200000-0x000000000504A000-memory.dmp

memory/2488-227-0x000000013F400000-0x000000014024A000-memory.dmp

memory/2488-228-0x000000013F400000-0x000000014024A000-memory.dmp

memory/2488-229-0x000000013F400000-0x000000014024A000-memory.dmp

memory/2488-230-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2956-231-0x000007FEF4870000-0x000007FEF520D000-memory.dmp

memory/2488-234-0x000000013F400000-0x000000014024A000-memory.dmp

memory/2488-233-0x000000013F400000-0x000000014024A000-memory.dmp

memory/2488-232-0x000000013F400000-0x000000014024A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

C:\Users\Admin\AppData\Local\Temp\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2828-239-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2828-238-0x000000013F5B0000-0x00000001403FA000-memory.dmp

memory/2280-240-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/1868-243-0x0000000002640000-0x00000000026C0000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

memory/2304-247-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2304-248-0x0000000007220000-0x0000000007260000-memory.dmp

memory/1872-249-0x000000013FDA0000-0x0000000140BEA000-memory.dmp

memory/2488-250-0x000000013F400000-0x000000014024A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2900-259-0x000000013FDA0000-0x0000000140BEA000-memory.dmp

memory/2792-263-0x00000000040C0000-0x0000000004A03000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2696-275-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2792-277-0x0000000004200000-0x000000000504A000-memory.dmp

memory/2900-281-0x000000013FDA0000-0x0000000140BEA000-memory.dmp

memory/2900-285-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2900-280-0x000000013FDA0000-0x0000000140BEA000-memory.dmp

memory/2900-279-0x000000013FDA0000-0x0000000140BEA000-memory.dmp

memory/2696-278-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-276-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-274-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2488-293-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/2696-273-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-272-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-271-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-270-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-269-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-267-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/2696-268-0x0000000077100000-0x00000000772A9000-memory.dmp

memory/1632-266-0x0000000000EE0000-0x0000000001981000-memory.dmp

memory/2696-264-0x00000000003C0000-0x0000000000D03000-memory.dmp

memory/1632-295-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/1632-294-0x0000000077300000-0x0000000077301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe

MD5 3258deefff3ca70f3dfa3e67067ca611
SHA1 a28ec103c22b03f381dd72073cf620b11881b7b7
SHA256 11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512 541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8

memory/2328-303-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 46d637c8a957fbeed66ba295a7f18d0e
SHA1 f1f9e92c98bb7706d082dd79d86c1be4c64256f2
SHA256 817053878d8f66e26f4336fe8ff2999d2400b43967fff8d4cd118eb3d8043625
SHA512 4c9d05d54b6f272e5718b790beecc2be6b6f09e6d634755608e71267a575048b685c477cd8c2f8099f27cf0be6ba1ce5f24d2184bcb8b97bea999aee236ebc18

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2328-304-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

memory/2328-305-0x00000000027C0000-0x0000000002840000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 46d637c8a957fbeed66ba295a7f18d0e
SHA1 f1f9e92c98bb7706d082dd79d86c1be4c64256f2
SHA256 817053878d8f66e26f4336fe8ff2999d2400b43967fff8d4cd118eb3d8043625
SHA512 4c9d05d54b6f272e5718b790beecc2be6b6f09e6d634755608e71267a575048b685c477cd8c2f8099f27cf0be6ba1ce5f24d2184bcb8b97bea999aee236ebc18

C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Program Files\Google\Chrome\updater.exe

MD5 768200a76def472e675539094047bed9
SHA1 24bc17689541656a8a12902c7f19bd991193ca50
SHA256 79ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512 143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb

\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 704f047aa189fb9d169ee3a6ff3260dc
SHA1 adf68b2b05f8b2370395fb9993e212a7d1631a7d
SHA256 72e421f18864bad31a5b641c6ad83d75acec4cd9d5790a9646f1b7d52a5bbb84
SHA512 47009cf9eca53a09dcd4228f8f18bc39dfb10693c6033fd286affd7d04d746f8574eca3dd899c6148071cba5a43c99a1c1cd00f69692ab5fe5d5a7934b4bed64

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 c69455b98ad05007675869b82cc0b89c
SHA1 e4b46685191bef0f9547efdc9b780ba9a117c1ec
SHA256 9539eda8b75e2902c668bacb5e208e81666d5f129f2bd97ffb8684bef6cee4b9
SHA512 57056e31983157418573ea465343f35a6eb15cc3772b8b0eb8fea0f5c75bc8f6e37d758d21479283e34b4846c08ffc99d2a803c14301ce4314ab743ea5c7b967

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

MD5 89e9bc7a5d97370a0f4a35041a54a696
SHA1 c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA256 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA512 12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-01 20:36

Reported

2023-08-01 20:38

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe

"C:\Users\Admin\AppData\Local\Temp\1d3e10adc7685d83f72d99f44fe63a27.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 85.209.3.10:11615 tcp
US 8.8.8.8:53 10.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp

Files

memory/4464-133-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/4464-134-0x0000000000EF0000-0x0000000000F20000-memory.dmp

memory/4464-135-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/4464-136-0x0000000005F90000-0x00000000065A8000-memory.dmp

memory/4464-137-0x0000000005A80000-0x0000000005B8A000-memory.dmp

memory/4464-138-0x0000000005960000-0x0000000005970000-memory.dmp

memory/4464-139-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4464-140-0x0000000005A10000-0x0000000005A4C000-memory.dmp

memory/4464-141-0x0000000005D20000-0x0000000005D96000-memory.dmp

memory/4464-142-0x0000000005E40000-0x0000000005ED2000-memory.dmp

memory/4464-143-0x0000000007050000-0x00000000075F4000-memory.dmp

memory/4464-144-0x00000000066B0000-0x0000000006716000-memory.dmp

memory/4464-145-0x0000000005960000-0x0000000005970000-memory.dmp

memory/4464-146-0x00000000077D0000-0x0000000007992000-memory.dmp

memory/4464-147-0x0000000008220000-0x000000000874C000-memory.dmp

memory/4464-149-0x0000000074DB0000-0x0000000075560000-memory.dmp