Malware Analysis Report

2025-01-18 09:17

Sample ID 230807-3nz23shh32
Target 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180
SHA256 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180
Tags
redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180

Threat Level: Known bad

The file 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180 was found to be: Known bad.

Malicious Activity Summary

redline xmrig logsdiller cloud (tg: @logsdillabot) evasion infostealer miner spyware stealer themida

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

XMRig Miner payload

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-07 23:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-07 23:40

Reported

2023-08-07 23:42

Platform

win10-20230703-en

Max time kernel

149s

Max time network

131s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2792 set thread context of 4972 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2792 set thread context of 5000 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 5024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 5024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3032 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3032 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4996 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 2192 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 4636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4996 wrote to memory of 4636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2228 wrote to memory of 4228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 4228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 3248 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 4584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2228 wrote to memory of 4584 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2144 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2144 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 5108 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 2088 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5108 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2792 wrote to memory of 4972 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2792 wrote to memory of 5000 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe

"C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/5024-120-0x00000000034C0000-0x00000000034E9000-memory.dmp

memory/5024-121-0x00000000034F0000-0x000000000352F000-memory.dmp

memory/5024-122-0x0000000000400000-0x00000000018C7000-memory.dmp

memory/5024-123-0x00000000038C0000-0x00000000038F8000-memory.dmp

memory/5024-124-0x00000000035E0000-0x00000000035F0000-memory.dmp

memory/5024-125-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/5024-126-0x00000000035E0000-0x00000000035F0000-memory.dmp

memory/5024-127-0x0000000005F30000-0x000000000642E000-memory.dmp

memory/5024-128-0x0000000003A50000-0x0000000003A84000-memory.dmp

memory/5024-129-0x00000000037A0000-0x00000000037A6000-memory.dmp

memory/5024-130-0x00000000066A0000-0x0000000006CA6000-memory.dmp

memory/5024-131-0x0000000006CC0000-0x0000000006DCA000-memory.dmp

memory/5024-132-0x0000000006E00000-0x0000000006E12000-memory.dmp

memory/5024-133-0x0000000006E20000-0x0000000006E5E000-memory.dmp

memory/5024-134-0x0000000006EC0000-0x0000000006F0B000-memory.dmp

memory/5024-135-0x00000000034C0000-0x00000000034E9000-memory.dmp

memory/5024-136-0x0000000000400000-0x00000000018C7000-memory.dmp

memory/5024-137-0x00000000034F0000-0x000000000352F000-memory.dmp

memory/5024-138-0x0000000073AF0000-0x00000000741DE000-memory.dmp

memory/5024-139-0x00000000035E0000-0x00000000035F0000-memory.dmp

memory/5024-140-0x0000000007000000-0x0000000007076000-memory.dmp

memory/5024-141-0x0000000007080000-0x0000000007112000-memory.dmp

memory/5024-142-0x0000000007120000-0x0000000007186000-memory.dmp

memory/5024-143-0x0000000009B20000-0x0000000009B70000-memory.dmp

memory/5024-144-0x0000000009B90000-0x0000000009D52000-memory.dmp

memory/5024-145-0x0000000009D60000-0x000000000A28C000-memory.dmp

memory/5024-146-0x00000000035E0000-0x00000000035F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

memory/5024-153-0x0000000000400000-0x00000000018C7000-memory.dmp

memory/5024-157-0x0000000073AF0000-0x00000000741DE000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4104-162-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-164-0x00007FFF81090000-0x00007FFF8126B000-memory.dmp

memory/4104-163-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-165-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-166-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-167-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-168-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-169-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-170-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-171-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-172-0x00007FFF81090000-0x00007FFF8126B000-memory.dmp

memory/3240-178-0x0000017DAE440000-0x0000017DAE462000-memory.dmp

memory/3240-179-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

memory/3240-180-0x0000017DAE430000-0x0000017DAE440000-memory.dmp

memory/3240-181-0x0000017DAE430000-0x0000017DAE440000-memory.dmp

memory/3240-184-0x0000017DAE5F0000-0x0000017DAE666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mt0nrvdb.fhl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3240-197-0x0000017DAE430000-0x0000017DAE440000-memory.dmp

memory/3240-220-0x0000017DAE430000-0x0000017DAE440000-memory.dmp

memory/3240-224-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/5076-230-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

memory/5076-233-0x0000014EF92B0000-0x0000014EF92C0000-memory.dmp

memory/5076-232-0x0000014EF92B0000-0x0000014EF92C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aced43cf55054d924b787b696079357c
SHA1 07e7eb1516ad8a95d773995a62353b419f92b776
SHA256 a41c1aec4f0f26866d3adb50dbe37a2be5e2294ac5dde60dfc7ce7a624cf646b
SHA512 d45be51d0aba76a771f8e653c4e71a0758382fbc70a8c000372d308c5e876fa0cdd78485df1298c159d332024acba53e3384e688929362e22226236eb25bc67e

memory/5076-249-0x0000014EF92B0000-0x0000014EF92C0000-memory.dmp

memory/5076-270-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4104-272-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp

memory/4104-273-0x00007FFF81090000-0x00007FFF8126B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2792-275-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-276-0x00007FFF81090000-0x00007FFF8126B000-memory.dmp

memory/2792-277-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-278-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-279-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-280-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-281-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-282-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-283-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/2792-286-0x00007FFF81090000-0x00007FFF8126B000-memory.dmp

memory/4016-288-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

memory/4016-290-0x000002D31F470000-0x000002D31F480000-memory.dmp

memory/4016-291-0x000002D31F470000-0x000002D31F480000-memory.dmp

memory/4016-310-0x00007FF635D50000-0x00007FF635D60000-memory.dmp

memory/4016-311-0x000002D31F5C0000-0x000002D31F5DC000-memory.dmp

memory/4016-317-0x000002D31F780000-0x000002D31F839000-memory.dmp

memory/4016-350-0x000002D31F5B0000-0x000002D31F5BA000-memory.dmp

memory/4016-407-0x000002D31F470000-0x000002D31F480000-memory.dmp

memory/4016-408-0x000002D31F470000-0x000002D31F480000-memory.dmp

memory/4016-441-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

memory/2792-442-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 811d351aabd7b708fef7683cf5e29e15
SHA1 06fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA256 0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512 702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

memory/664-448-0x00007FFF74110000-0x00007FFF74AFC000-memory.dmp

memory/664-450-0x00000202843F0000-0x0000020284400000-memory.dmp

memory/664-452-0x00000202843F0000-0x0000020284400000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 302a7c179ef577c237c5418fb770fd27
SHA1 343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA256 9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512 f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

memory/664-472-0x00007FF635D30000-0x00007FF635D40000-memory.dmp

memory/664-566-0x00000202843F0000-0x0000020284400000-memory.dmp

memory/664-567-0x00000202843F0000-0x0000020284400000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/5000-733-0x0000000001660000-0x0000000001680000-memory.dmp

memory/2792-732-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp

memory/4972-735-0x00007FF6DFB70000-0x00007FF6DFB9A000-memory.dmp

memory/5000-736-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp

memory/5000-738-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp

memory/4972-739-0x00007FF6DFB70000-0x00007FF6DFB9A000-memory.dmp

memory/5000-740-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp

memory/5000-742-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp

memory/5000-744-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp

memory/5000-746-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp