Malware Analysis Report

2024-11-30 13:03

Sample ID 240620-dt777szgmm
Target Loader.exe
SHA256 5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
Tags
evasion execution persistence trojan privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence trojan privilege_escalation

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Gathers network information

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:19

Reported

2024-06-20 03:21

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\winhb.sys C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 1940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 1940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 1940 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 1940 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1940 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1940 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1940 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2220 wrote to memory of 2336 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2220 wrote to memory of 2336 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2220 wrote to memory of 2336 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2220 wrote to memory of 2336 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2336 wrote to memory of 2624 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2336 wrote to memory of 2624 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2336 wrote to memory of 2624 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2336 wrote to memory of 2624 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2624 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2624 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2624 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2624 wrote to memory of 2656 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 2520 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2520 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2520 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2520 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2336 wrote to memory of 3064 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2336 wrote to memory of 3064 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2336 wrote to memory of 3064 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2336 wrote to memory of 3064 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2656 wrote to memory of 2020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2656 wrote to memory of 2020 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1412 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 1412 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 1412 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2096 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2096 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2096 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 2732 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2096 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2096 wrote to memory of 1996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1412 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1412 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1412 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2204 wrote to memory of 1928 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2204 wrote to memory of 1928 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2204 wrote to memory of 1928 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2204 wrote to memory of 328 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 328 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 328 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 2204 wrote to memory of 880 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2204 wrote to memory of 880 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2204 wrote to memory of 880 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 880 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 880 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

\??\c:\users\admin\appdata\local\temp\loader.exe 

c:\users\admin\appdata\local\temp\loader.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:21 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\system32\sc.exe

sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc start windowsproc

C:\Windows\system32\sc.exe

sc start windowsproc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5aa9758,0x7fef5aa9768,0x7fef5aa9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1268 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 --field-trial-handle=1368,i,9087336214530012684,12704461108496152769,131072 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:22 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:23 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
N/A 224.0.0.251:5353 udp

Files

memory/1940-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\loader.exe 

MD5 771eb39dd1312a63bb974018cb70d1b4
SHA1 94d751af62d417ff127ec0890179b5412b5e9e41
SHA256 98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb
SHA512 4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 902bc13c7b437a5ea7814a56c7083c7e
SHA1 61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8
SHA256 a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b
SHA512 032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

\??\c:\windows\resources\themes\explorer.exe

MD5 1786eab1c0c6984f7bc2a722fde30118
SHA1 ceb809e93211b078a2888552cad1972f6311ad35
SHA256 e499c81a5cb9b50b612989ddb444ecf42ed428a9f06ef28f6245a7086e9f2de5
SHA512 9230d5befb26aff6775e21fad17ea4043d42b360e84573853b2795cde04302f2d65734964565f35a89871b955b996743c8050be6a37a352dd8483793c6d5c166

C:\Windows\Resources\spoolsv.exe

MD5 73c0d2d1f72beb9823ebd9b59b05ae2c
SHA1 32e6b86c22c35eb5401fc934dad52488d99e94ce
SHA256 0559a5aa78b39df802638e950113d3fc7081633bc042386f69d6ed25bcbbb802
SHA512 77a8fbca06e3718904d4dc8d0dea05e4a3d5e0955c95734006f4f044dd28c877bbf7dc4797aed485486d5e72d9d6b3b7457284ac5ce406c106097e78bbe874e0

\??\c:\windows\resources\svchost.exe

MD5 8d7c18831ec6e0216aba474379a02184
SHA1 941b6453150604eaeb2454f115a5933b17cb4f62
SHA256 e349a063ddace73a94c5c9c8ecbbc427e562a36d3df471eeaf4ec07c1a796654
SHA512 69d94108f9c6f77e04bfdb03aa7b9c1219b270c0eeeb957b3ac3d88d58d8c93b225080632a4ea1ca9fecf9d4d1af5564bbe55cefb02f6b3fb787ba03f24b7d98

memory/2520-62-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2656-61-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2624-60-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2336-59-0x00000000002A0000-0x00000000002BF000-memory.dmp

memory/2336-58-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2220-57-0x00000000003A0000-0x00000000003BF000-memory.dmp

memory/2204-56-0x0000000140000000-0x0000000142564000-memory.dmp

memory/2220-35-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2624-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1940-65-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2220-64-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1940-34-0x0000000002D60000-0x00000000052C4000-memory.dmp

memory/2204-66-0x0000000140000000-0x0000000142564000-memory.dmp

memory/2204-68-0x0000000140000000-0x0000000142564000-memory.dmp

memory/2204-67-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 65232d276a8a7f6e80ae2fd476ed2041
SHA1 2fdbc7dfa90255005dc7678b9422a4ddc9540cda
SHA256 e9773847c2179f5202d121d4f3c84e0954a0fd5834d0d72131b4fcecf5c98a1e
SHA512 f5f75c0483d9fc1547d2ee4f54a99ab139d0d265059283ed9ee131e2de56f1740b861950eef649385d368eb9b6d9e4d2dd52d8459128725c982c4f6d78dc09a9

memory/2204-78-0x0000000140000000-0x0000000142564000-memory.dmp

memory/880-81-0x0000000140000000-0x0000000142564000-memory.dmp

memory/880-82-0x0000000140000000-0x0000000142564000-memory.dmp

memory/880-83-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Windows\System32\IME\SHARED\namef.ini

MD5 f32dea2b04dc3f7dca1ab634f22e501a
SHA1 069f843cc7f23a2a957af76feb337713893f2e7e
SHA256 b8386a42222a00e4844a222153a0e7ab20229eb7f788916a4e83d5f2997ec855
SHA512 864cc622d8c2433a6961fd9ac7713802034c0b60e4c85db7f2ad6f61aea83a0e8476d332802c5fe483564d7a5e8ebeb08a2ca98a4b2fb136484d6353ba31a4f4

memory/880-89-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

\??\pipe\crashpad_1792_UJALVPYWLSTRXGWK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\aded59e7-72db-481d-8a67-fe6d89e8686e.tmp

MD5 f8d65f206b464cb7c7ad21163f09bd70
SHA1 7ff6a28f7eafd74a14ad2d5f908f2c90554729d2
SHA256 3047f8363cdb89421f5fcc40e0515cc65fce7f8269edfc4a30315fbf8c198563
SHA512 548984016439350ffd651dfd5047fdd4f91d75575e09f1499e99abba01eda4d235fcb334a76746c0f261f14d24de4845559c9ea8b670e160ca5c50ad72d10692

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:19

Reported

2024-06-20 03:24

Platform

win10v2004-20240508-en

Max time kernel

330s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\winhb.sys C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{040debdf-be01-47b7-9d05-caad4e289de6}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.jfm C:\Windows\System32\svchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{040debdf-be01-47b7-9d05-caad4e289de6}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\System32\IME\SHARED\namef.ini C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.chk C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\NDF\{15DEA690-16F3-4305-8694-E5612B9F9306}-temp-06202024-0321.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\NDF\{15DEA690-16F3-4305-8694-E5612B9F9306}-temp-06202024-0321.etl C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633271874535263" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\loader.exe  N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\sdiagnhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msdt.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 4936 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe \??\c:\users\admin\appdata\local\temp\loader.exe 
PID 4936 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4936 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4936 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1152 wrote to memory of 4488 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1152 wrote to memory of 4488 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1152 wrote to memory of 4488 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 4488 wrote to memory of 2380 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4488 wrote to memory of 2380 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4488 wrote to memory of 2380 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2380 wrote to memory of 2104 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2380 wrote to memory of 2104 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2380 wrote to memory of 2104 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2104 wrote to memory of 4636 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2104 wrote to memory of 4636 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2104 wrote to memory of 4636 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 316 wrote to memory of 692 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 316 wrote to memory of 692 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 316 wrote to memory of 3620 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 316 wrote to memory of 3620 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\System32\cmd.exe
PID 316 wrote to memory of 4464 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 4464 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 692 wrote to memory of 3236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 692 wrote to memory of 3236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3620 wrote to memory of 3760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3620 wrote to memory of 3760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 316 wrote to memory of 4504 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 4504 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 4512 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 316 wrote to memory of 4512 N/A \??\c:\users\admin\appdata\local\temp\loader.exe  C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4512 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4864 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4864 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4728 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4728 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 3656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3056 wrote to memory of 3656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4512 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 4512 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3900 wrote to memory of 1064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4512 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 4512 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 4392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 4392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1632 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

\??\c:\users\admin\appdata\local\temp\loader.exe 

c:\users\admin\appdata\local\temp\loader.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys

C:\Windows\system32\sc.exe

sc stop iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\sc.exe

sc delete iqvw64e.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\system32\sc.exe

sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C sc start windowsproc

C:\Windows\system32\sc.exe

sc start windowsproc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc0b1eab58,0x7ffc0b1eab68,0x7ffc0b1eab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5012 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5080 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4520 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5176 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4744 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Windows\system32\msdt.exe

-modal "917586" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFB67.tmp" -ep "NetworkDiagnosticsWeb"

C:\Windows\System32\sdiagnhost.exe

C:\Windows\System32\sdiagnhost.exe -Embedding

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5096 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3152 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2440 --field-trial-handle=1936,i,12386465511429417420,17687577035180268613,131072 /prefetch:1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\system32\ipconfig.exe

"C:\Windows\system32\ipconfig.exe" /all

C:\Windows\system32\ROUTE.EXE

"C:\Windows\system32\ROUTE.EXE" print

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 download.simpletoolz.fun udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 udp

Files

memory/4936-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loader.exe 

MD5 771eb39dd1312a63bb974018cb70d1b4
SHA1 94d751af62d417ff127ec0890179b5412b5e9e41
SHA256 98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb
SHA512 4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 902bc13c7b437a5ea7814a56c7083c7e
SHA1 61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8
SHA256 a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b
SHA512 032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

C:\Windows\Resources\Themes\explorer.exe

MD5 f5796eca6d50e183547bb931e7ba19b1
SHA1 e5043d22907d9fd8d02d43daf54d7079c89f6ff0
SHA256 91f2a5685dc5c4be7e826c0d7ab9ca7e92b874fcd4c906d72038a2b2207cd71d
SHA512 015fc1e29615cdeda424a117ff0c9361bab623adff38e27a4af43b335320a2ad55723d2f702e46da9561c1ef57a2ca7b0f1a3c0a5e90b6079153b7ef6055e245

memory/4488-26-0x0000000000400000-0x000000000041F000-memory.dmp

memory/316-21-0x0000000140000000-0x0000000142564000-memory.dmp

memory/316-25-0x00007FFC28F10000-0x00007FFC28F12000-memory.dmp

memory/1152-24-0x0000000000400000-0x000000000041F000-memory.dmp

\??\c:\windows\resources\spoolsv.exe

MD5 d0438e5680129e6c8153a01379d8d120
SHA1 fa4c39720b0161875a84079f2dc12c38620de450
SHA256 791b8303b8a792dc3d4f2600871565de9f027ce8c54ff2f489cd4f9ba3c40b32
SHA512 ece8ae9aa66d9bbaae2e277eba624b0158e8a221f969d8d7a8f61c10139585f02c929823d0f9797215cdf02cc3a9b639dc511ab8fa17688065c23c2f158aa0ba

memory/2380-37-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 3675e316f7e9e71441315350c774227e
SHA1 89f7ca38ef24103511d80bd9447b45139e2fb88d
SHA256 c6b859d6449e83b8fe534b1204661958fda95f8b0941ee63e62636d968c637bb
SHA512 c56093aaf453cb294ba91768dc37c7b5f60af65a7f0362d45e2a143a877e60b9a086ff5f6feb81fbce6a884848905f294492e839150c9a20629841376f673cca

memory/2104-41-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4636-49-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2380-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4936-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1152-51-0x0000000000400000-0x000000000041F000-memory.dmp

memory/316-53-0x0000000140000000-0x0000000142564000-memory.dmp

memory/316-54-0x0000000140000000-0x0000000142564000-memory.dmp

memory/316-55-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 b9c64c157c89210babeecda07782b18f
SHA1 bbba06ff8cf97b6e6a0de0ecb6ea6d9f89e41591
SHA256 d93604402a0283c8888b460565f99570b1ec8f0a6912b6fb0e08ffe150723cbf
SHA512 b72596e02ed4040ba1d0202a50ed9347b5ad571146d7cc2756ba77c57e722defdafc0727207a46d6d9fb9afa75e46d46a5ef28f9d43efd7d36d8e6dc00db7208

memory/316-65-0x0000000140000000-0x0000000142564000-memory.dmp

memory/4512-66-0x0000000140000000-0x0000000142564000-memory.dmp

memory/4512-68-0x0000000140000000-0x0000000142564000-memory.dmp

memory/4512-69-0x0000000140000000-0x0000000142564000-memory.dmp

memory/4512-70-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Windows\System32\IME\SHARED\namef.ini

MD5 f32dea2b04dc3f7dca1ab634f22e501a
SHA1 069f843cc7f23a2a957af76feb337713893f2e7e
SHA256 b8386a42222a00e4844a222153a0e7ab20229eb7f788916a4e83d5f2997ec855
SHA512 864cc622d8c2433a6961fd9ac7713802034c0b60e4c85db7f2ad6f61aea83a0e8476d332802c5fe483564d7a5e8ebeb08a2ca98a4b2fb136484d6353ba31a4f4

memory/4512-75-0x0000000140000000-0x0000000142564000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 cc54f1440d108212f6b41a0489d5441f
SHA1 b82d71e63663d3ebaf3b721fe677eda0699f1c64
SHA256 d210a3b33345fcad5be94c70f3f5ef40eba0c76930b9d8aa822177867132f519
SHA512 7302f248f29dda3d5d396b97172b36f6cebc49d06d55e5bfa5d23df96b41af0f2bfb0d724ced75d7a55949ab6e0d454264094c0fe3bede39a729c22e07c637ec

\??\pipe\crashpad_1632_HBSSEFGMVYUQURPX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6769f018b69e26d0351fe248e6cab44d
SHA1 ca85a1fd7bb8c5109771a90f1ab183aaa20882a6
SHA256 4e00b7d7b900d0198673b2ad6cff42d79660fb8469da4688c8feca91b15fcec4
SHA512 855233dd65b89f51b98ecc3aa5f7d5348d9a572b640c5bcfe7b46f3a41e43b606b01aabeaf36eaf12cf755cf8d8f370f0d3548415bcf1123dae69cc6d074fc66

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b017217241cf171489d3a3ff727f4e69
SHA1 56e68db44f62c561954020c6b00f10c1e6a0c47d
SHA256 5a7ec22577f4e67f51419d44f996dee1b82f59784d5b87af065052c883be404d
SHA512 6ea5586da762756e336b941dff8f835bd7543ff54ced199cfb82b6af9477a988f98d6b680e65325e0156a934d20647bcb3d29a7ef9c506e8258f33fa59bcafa5

C:\Users\Admin\AppData\Local\Temp\NDFFB67.tmp

MD5 486b726139dc669de4a9454d7cd8876f
SHA1 820fa154fa13f32897f8b6e9c9da117a1bb65648
SHA256 bd7cefccf93743a827f9ed92a2de510e9dc6dd925ddac1c2e21d06f169743dbb
SHA512 658f62e2c75ff627bef9e9bb0b96ba17b683141594540e59c20b8038019cab96cc2212b8801254498f7a537d27f7cc9989438cf525cb401d3786a564376cb77a

C:\Windows\Temp\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\en-US\DiagPackage.dll.mui

MD5 44c4385447d4fa46b407fc47c8a467d0
SHA1 41e4e0e83b74943f5c41648f263b832419c05256
SHA256 8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512 191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

C:\Windows\Temp\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\DiagPackage.dll

MD5 580dc3658fa3fe42c41c99c52a9ce6b0
SHA1 3c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA256 5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA512 68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ky3klhv.tlc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4568-509-0x00000247F4720000-0x00000247F4742000-memory.dmp

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\NetworkDiagnosticsTroubleshoot.ps1

MD5 d0cfc204ca3968b891f7ce0dccfb2eda
SHA1 56dad1716554d8dc573d0ea391f808e7857b2206
SHA256 e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA512 4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\UtilityFunctions.ps1

MD5 c912faa190464ce7dec867464c35a8dc
SHA1 d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA256 3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA512 5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\UtilitySetConstants.ps1

MD5 0c75ae5e75c3e181d13768909c8240ba
SHA1 288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256 de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA512 8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\en-US\LocalizationData.psd1

MD5 380768979618b7097b0476179ec494ed
SHA1 af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA256 0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512 b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\StartDPSService.ps1

MD5 a660422059d953c6d681b53a6977100e
SHA1 0c95dd05514d062354c0eecc9ae8d437123305bb
SHA256 d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA512 26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

memory/824-519-0x0000018083010000-0x0000018083020000-memory.dmp

memory/824-523-0x0000018083050000-0x0000018083060000-memory.dmp

memory/824-527-0x0000018087510000-0x0000018087511000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582277.TMP

MD5 823dcbe92ba9c5c519afac6c1e119eac
SHA1 caa5fd4896dcd0ad6e8c4534573409b83a5f5fcc
SHA256 7ab3c423cc9f1359f46b74196ae626cc82c18c657279bf1360ee0dec44b44283
SHA512 e05f90b49122531b192776c0e165c99e91bba29186e648c18709d153eb43c9058b557e5f1b6f650d588312fc400ccc3e37246d02923a98fdd54c03b5df0f0e44

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 ffd420c0339c3304531b480fa7d03b98
SHA1 e420b1720481f0531a7c58982c3c15279a5e3f55
SHA256 de079bacf51b3834fa39899616a94d790084aa3ba6b00c58f02d8a64b167854f
SHA512 3f4b6211d9f7ae09f79664514c7b05f5b25680463752af5a29555fdc5d13356222be17444064591f1b383eb0860fa08120d2a529e16a52a320fa1c2c3a0e31ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8ca6921633c9d76bbe10cc832a6e0e48
SHA1 05844e2974881eff5be2a99d8eaf7e52b7656f56
SHA256 443d4036f379a332005eeaebaa442d8dc359685644187a046dad9b105b6df695
SHA512 c329aa7d51a740b25a9f0b0527ff1690180eb0e60bb0fd305b9b8eefc7c3a22bebfd8136dacb568da76b4d3137cc17510772bed61716e05205b571f458880f73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 84abbf24bb29a315b39252fe3e61df7c
SHA1 007368ab57aec8c9164aef9fe14dd69aaaa4946c
SHA256 ea0eae5a53dbde9840f81719b7223be8182f6fde5b64a6f0da0e2690454a461e
SHA512 ad1ad942c133e4d8a2aa16738826bb9683a4b8920f2c2a67968156194c69a26180232e1937e144e45aff827242bd5391a00893df954cdd9b89e1cffa4084b0b2

C:\Windows\Temp\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\result\15DEA690-16F3-4305-8694-E5612B9F9306.Diagnose.Admin.0.etl

MD5 37a09c39d7d0d94457f81c6599fca230
SHA1 c10fc5dba8e0fc504cc06d3b72ffd1a5a5ad8a61
SHA256 6279d60d403f1c1ad9e9f8b535fe0147805e14bcb5da9778cde3e9e6b369951a
SHA512 86bd00b3be3a8cef9431fdf320d37f485730a068252aeff1dee924465bd29334dfe0caf7ee08e84717cbe7a46c2a5957479a7d29b8d36421b860c85fd83f795b

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\NetworkConfiguration.ddf

MD5 00848049d4218c485d9e9d7a54aa3b5f
SHA1 d1d5f388221417985c365e8acaec127b971c40d0
SHA256 ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA512 3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\ipconfig.all.txt

MD5 ce745cfb3da54abfd7c4b81b9d86b37e
SHA1 9c30518053b01a50af2bd96125039cfc9fc4ef56
SHA256 294120deda704c68e54f22e69e2acb500cf67ae482b2f8b7c4af80f23a3ebea5
SHA512 906d7ab224806d5698d7d3cbf2fe79d6f85cbfe6549b32a2d238ed7788130b6f3b0fec098f220390004f30e2f82b046ca3c9bf624efebb9ffcccd3aeee5ddbdc

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\route.print.txt

MD5 d79bd29558539d4b2502d84f6d123239
SHA1 8e9e4da5f78205d24d48902b77cb3e90fa35425e
SHA256 e42bc676fb7370e49e5e1d02f83fef2e581b64c4bc4226a921a42b5f8a31d620
SHA512 195cf8a77b3e60675b5fe2d441504f38ec7092454f6fad1ef7bc7edfe52cd786f098d6333049944f9e6a1ca9e88eca1196ebee6f1018a50f83895dbe4ecf3dab

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\NetworkConfiguration.cab

MD5 e4fb7be29ceed4902247a15a556eac18
SHA1 d11d8a6f3eeabff7fd241256b92dcc50463fe08c
SHA256 cddd11bff3affd46eadac3db9ec64e0d7de31a0ba2f3a059aad0ac449be79776
SHA512 e2933ae3acf7a30d5a8cbbb9d0b5f999b42bacfb755c446a6a40a7e804b42c69fa10b63f478201486f76ba846fcd189d0b74726f44b12e3cc6b1e38eb0ea82c5

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\setup.rpt

MD5 e303f5335b647152bd32063e67c3bd79
SHA1 b3a3331755456162918ab0f11a8403e383f2cb81
SHA256 9b4ab4cbae00ac689256ab817d2867cd7caee6ea0c375040799b233c9b985b9b
SHA512 5e08f575f2b47de83c43b5bbf28464e8d6c38f901be5e313f68f1ddc1a7b0f870ca52fdffdf9b067e5fd46c07c2086c8074d6a9062f58afa53278db2f48a8d46

C:\Users\Admin\AppData\Local\Temp\tmpFAC6.tmp\setup.inf

MD5 dbd6f21b7a318ffc3d0db6344dc5e378
SHA1 ebfdcd4f58707053e95911702f85b559296a6577
SHA256 d0b00993969bc382bbe5cb690f7ffab2782abffe29b5b8643e4889b3cf9343c3
SHA512 7011e7885502883518d6c1fd2c7836945ab843ec8f59315c215df103f51448556ca5a7c7830acd902d269da163d42df2a362919aba1daee413ac83d65e3819f6

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\NetworkDiagnosticsResolve.ps1

MD5 d213491a2d74b38a9535d616b9161217
SHA1 bde94742d1e769638e2de84dfb099f797adcc217
SHA256 4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211
SHA512 5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

C:\Windows\TEMP\SDIAG_39ea3ffc-9fab-47d8-bfd9-7529a91dee52\NetworkDiagnosticsVerify.ps1

MD5 9b222d8ec4b20860f10ebf303035b984
SHA1 b30eea35c2516afcab2c49ef6531af94efaf7e1a
SHA256 a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc
SHA512 8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062003.000\NetworkDiagnostics.debugreport.xml

MD5 18069ab9a5db58a45452409f59291dcd
SHA1 513b6ef6da01cb53e26c76d5fccd5809c4e92749
SHA256 5c7a6025042932a76c7ef283c9a47c61067e4e25a6ab13785be40d78b329001e
SHA512 9ccebbc7793912d94baec4aa2f04ee1a60a81e855358829b5a051c9ee75543a35c425d8eead49c9ff30edb41dc93450878b1971beb9a0bb4b24d6e7ed036cd78

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062003.000\ResultReport.xml

MD5 057e307989255bcefe0948b7b01340fe
SHA1 8676c7043eee9ca94b460cab85cb875195c0f4a1
SHA256 48c188bbb70d7751b627ac5825de5c72d426bca2ca73b0a124549ae1f2217127
SHA512 eee9341068f1568841795738d00371d81c74528bbf82bbcc6da4182e8856b56db8e3286efc7bb544985d18abcf74df939d10c0146965672a696e6c4cb0e319b0

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062003.000\results.xsl

MD5 310e1da2344ba6ca96666fb639840ea9
SHA1 e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA256 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA512 62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e3cf5ca2d855bac59fa909775ac48abe
SHA1 9afed6498f7d23800be13e8055e203359c4b78c8
SHA256 03960e4c9aa54ae6c56be7628383857fe8eead77bc954eda2300f04527742f43
SHA512 a64175f266ddb467f142b6add5e53d17e104c0c14fbdae3ac2dbfc9079ded04f90a1543eceb892d4c60ece4f135cac6167f004757a1f147c3e6ce77c3bfde573

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 672bc61a05a5bc5d40f2f5c07cff61e0
SHA1 5199a99546abc184b02f3e08f5c02b08571b6c99
SHA256 0d715c98316ef3ddb6dd14f5385900265469ac8e34943c55a3f8d5da272ddd23
SHA512 9ad3fd76483ee60f91048cd7f26fe35df97e38055eda16a5f7014fbc0534be794f55120ac921cace36bf5b97ad23e2c32be728c55950fb5408ed087a5ed24df2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 682d355de883636a39567930ae517f3a
SHA1 357c45495458c0068459d8bcd364f296b943ca19
SHA256 0caa56847d4f5db08952148e03e175b5883f6f673cfe7844c4ad30cfd01b7ffd
SHA512 0bc0c68cd351d870115c71283dbf262c72fe77b1a30c5aaab72b41528c51dcf9a5760a0393862a7d29e74a9097d9aee160a06d45e6aa3885a5f808c33ec98e68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 c0f2f1e2f38207c4c1f15a60a522776a
SHA1 83c6dd33a4449a8c53da8b23371042e8b84e260b
SHA256 53386c80614ceaa198d27d63f8f1aa525cd23ad3a8e42012c74c8ee34470fb0a
SHA512 687b3fcbaa1b9db073ca2cd35f6365837485c7f17979ea3350b5aae0c2f7b651d6bb052e960ecb23df637256c0bac8b8e69b6054cfac63cb74970573477ba367

memory/824-790-0x0000018087630000-0x0000018087631000-memory.dmp

memory/824-791-0x0000018087620000-0x0000018087621000-memory.dmp

memory/824-793-0x0000018087520000-0x0000018087521000-memory.dmp

memory/824-794-0x0000018087510000-0x0000018087511000-memory.dmp

memory/824-796-0x0000018087510000-0x0000018087511000-memory.dmp

memory/824-799-0x0000018087460000-0x0000018087461000-memory.dmp

memory/4488-802-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2104-803-0x0000000000400000-0x000000000041F000-memory.dmp