Analysis Overview
SHA256
43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4
Threat Level: Known bad
The file 43866279c665ce788216110e56726c1b82817ab79bbc9.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Drops file in Drivers directory
Downloads MZ/PE file
Stops running service(s)
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-11 00:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-11 00:06
Reported
2023-08-11 00:08
Platform
win7-20230712-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe
"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 136.244.98.226:33587 | tcp |
Files
memory/2620-54-0x0000000002460000-0x0000000002560000-memory.dmp
memory/2620-55-0x0000000000400000-0x00000000022FC000-memory.dmp
memory/2620-56-0x0000000000220000-0x000000000025F000-memory.dmp
memory/2620-57-0x0000000003F90000-0x0000000003FC8000-memory.dmp
memory/2620-58-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2620-59-0x00000000068B0000-0x00000000068F0000-memory.dmp
memory/2620-60-0x00000000068B0000-0x00000000068F0000-memory.dmp
memory/2620-61-0x0000000003DC0000-0x0000000003DF4000-memory.dmp
memory/2620-62-0x00000000023F0000-0x00000000023F6000-memory.dmp
memory/2620-63-0x00000000068B0000-0x00000000068F0000-memory.dmp
memory/2620-64-0x0000000002460000-0x0000000002560000-memory.dmp
memory/2620-66-0x0000000074430000-0x0000000074B1E000-memory.dmp
memory/2620-67-0x00000000068B0000-0x00000000068F0000-memory.dmp
memory/2620-68-0x0000000000400000-0x00000000022FC000-memory.dmp
memory/2620-69-0x0000000002460000-0x0000000002560000-memory.dmp
memory/2620-70-0x0000000074430000-0x0000000074B1E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-11 00:06
Reported
2023-08-11 00:08
Platform
win10v2004-20230703-en
Max time kernel
68s
Max time network
113s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4748 created 3160 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 4748 created 3160 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 4748 created 3160 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 4748 created 3160 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Windows\Temp\setup.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3872 set thread context of 4952 | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe
"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3872 -ip 3872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 284
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4476 -ip 4476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 2632
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=44251 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffec0fb9758,0x7ffec0fb9768,0x7ffec0fb9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1360 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1668 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=44251 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1976 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2364 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2512 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3148 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3432 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| NL | 136.244.98.226:33587 | tcp | |
| US | 8.8.8.8:53 | 226.98.244.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 163.1.85.104.in-addr.arpa | udp |
| RU | 185.159.129.168:80 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 185.149.146.118:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 77.91.77.144:80 | tcp | |
| US | 8.8.8.8:53 | 254.128.241.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:44251 | tcp | |
| N/A | 127.0.0.1:44251 | tcp | |
| N/A | 127.0.0.1:44251 | tcp | |
| N/A | 127.0.0.1:44251 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
Files
memory/4476-134-0x00000000024D0000-0x00000000025D0000-memory.dmp
memory/4476-135-0x0000000002460000-0x000000000249F000-memory.dmp
memory/4476-136-0x0000000000400000-0x00000000022FC000-memory.dmp
memory/4476-137-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-138-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-139-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-140-0x0000000006A60000-0x0000000007004000-memory.dmp
memory/4476-141-0x0000000074BA0000-0x0000000075350000-memory.dmp
memory/4476-142-0x00000000071C0000-0x00000000077D8000-memory.dmp
memory/4476-143-0x00000000077E0000-0x00000000078EA000-memory.dmp
memory/4476-145-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-144-0x00000000078F0000-0x0000000007902000-memory.dmp
memory/4476-146-0x0000000007910000-0x000000000794C000-memory.dmp
memory/4476-147-0x00000000024D0000-0x00000000025D0000-memory.dmp
memory/4476-148-0x0000000000400000-0x00000000022FC000-memory.dmp
memory/4476-149-0x0000000002460000-0x000000000249F000-memory.dmp
memory/4476-150-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-151-0x0000000074BA0000-0x0000000075350000-memory.dmp
memory/4476-152-0x0000000007C00000-0x0000000007C76000-memory.dmp
memory/4476-153-0x0000000007C80000-0x0000000007D12000-memory.dmp
memory/4476-154-0x0000000007D20000-0x0000000007D86000-memory.dmp
memory/4476-155-0x0000000004110000-0x0000000004120000-memory.dmp
memory/4476-156-0x00000000091B0000-0x0000000009200000-memory.dmp
memory/4476-157-0x0000000009540000-0x0000000009702000-memory.dmp
memory/4476-158-0x0000000009710000-0x0000000009C3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 80b0b41decb53a01e8c87def18400267 |
| SHA1 | 885f327c4e91065486137ca96105190f7a29d0f9 |
| SHA256 | 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1 |
| SHA512 | 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 80b0b41decb53a01e8c87def18400267 |
| SHA1 | 885f327c4e91065486137ca96105190f7a29d0f9 |
| SHA256 | 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1 |
| SHA512 | 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 80b0b41decb53a01e8c87def18400267 |
| SHA1 | 885f327c4e91065486137ca96105190f7a29d0f9 |
| SHA256 | 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1 |
| SHA512 | 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e |
C:\Windows\Temp\setup.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\Windows\Temp\setup.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\Windows\Temp\setup.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/4748-182-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-184-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/3872-193-0x00000000008F0000-0x0000000000B7B000-memory.dmp
memory/4748-190-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp
memory/4748-194-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-195-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-196-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-197-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-198-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/3872-199-0x00000000008F0000-0x0000000000B7B000-memory.dmp
memory/4952-200-0x0000000000400000-0x0000000000527000-memory.dmp
memory/4952-208-0x0000000000400000-0x0000000000527000-memory.dmp
memory/4952-211-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4748-210-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4952-209-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-212-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-213-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-214-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-217-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-218-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-220-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-221-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-222-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-219-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-216-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-215-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-223-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-225-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-226-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-224-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-227-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-229-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-228-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-230-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-231-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-232-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-234-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-233-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-235-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-236-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-237-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-239-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-238-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-240-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-243-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-241-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-244-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-242-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-245-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-247-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-249-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-246-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-248-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-250-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-251-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-253-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-252-0x00000000FF950000-0x00000000FF960000-memory.dmp
memory/4952-278-0x00000000777F2000-0x00000000777F3000-memory.dmp
memory/3872-282-0x00000000008F0000-0x0000000000B7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
memory/4528-291-0x00000000009B0000-0x0000000000FE4000-memory.dmp
memory/4748-292-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp
memory/4476-328-0x0000000074BA0000-0x0000000075350000-memory.dmp
\??\pipe\crashpad_4220_YPBHZRUYMZTJQNKC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4476-347-0x0000000000400000-0x00000000022FC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teqgw5y4.45b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2020-381-0x0000018DD96C0000-0x0000018DD96E2000-memory.dmp
memory/2020-382-0x00007FFEBEB00000-0x00007FFEBF5C1000-memory.dmp
memory/2020-384-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp
memory/2020-383-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp
memory/4528-385-0x00000000009B0000-0x0000000000FE4000-memory.dmp
memory/2020-387-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp
memory/2020-390-0x00007FFEBEB00000-0x00007FFEBF5C1000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1004-394-0x00007FFEBEC20000-0x00007FFEBF6E1000-memory.dmp
memory/1004-395-0x000002905D940000-0x000002905D950000-memory.dmp
memory/1004-401-0x000002905D940000-0x000002905D950000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/1004-407-0x000002905D940000-0x000002905D950000-memory.dmp
memory/1004-416-0x000002905D940000-0x000002905D950000-memory.dmp
memory/1004-418-0x00007FFEBEC20000-0x00007FFEBF6E1000-memory.dmp
memory/4748-421-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp
memory/4748-422-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | d48d4789fb8347baf4137dcf63bc3c82 |
| SHA1 | 8759e0fc9ee63b867f85cdaf4171ff0007d592c3 |
| SHA256 | 0f4e0149ecb81286201691492477a10e9291481d76790cd1c354b72aa02bca7a |
| SHA512 | cc7d05d36f655e0e981cffe9a9976042f50ef261c955729ed472c393c1c9bad6a5546cfa920219279257f29e5635a113ed27f9ffffad9e5c5205d94c797c4058 |
memory/2728-431-0x00007FF6A0680000-0x00007FF6A18A6000-memory.dmp