Malware Analysis Report

2025-01-18 08:26

Sample ID 230810-s6br4agc3x
Target 43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4
SHA256 43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4

Threat Level: Known bad

The file 43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4 was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Reads user/profile data of web browsers

Executes dropped EXE

Themida packer

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 15:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 15:43

Reported

2023-08-10 15:46

Platform

win10-20230703-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2888 set thread context of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4316 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4316 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1660 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1660 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1660 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2888 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3436 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3436 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2176 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 4800 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 4800 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2176 wrote to memory of 2752 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1660 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1660 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1968 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1968 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 4452 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 4452 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2300 wrote to memory of 524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe

"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 288

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=42049 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff950939758,0x7ff950939768,0x7ff950939778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1192 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1536 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=42049 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1844 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=42049 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1720 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=42049 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1792 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=42049 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2944 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=42049 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3076 --field-trial-handle=1320,i,1086740612274223856,1267361563804394293,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#ojysmzcrstmuvnken#> powershell <#ojysmzcrstmuvnken#> -Verb <#ojysmzcrstmuvnken#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
N/A 127.0.0.1:42049 tcp
N/A 127.0.0.1:42049 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
N/A 127.0.0.1:42049 tcp
N/A 127.0.0.1:42049 tcp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:80 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp

Files

memory/1660-122-0x0000000002330000-0x0000000002430000-memory.dmp

memory/1660-123-0x0000000003F60000-0x0000000003F9F000-memory.dmp

memory/1660-124-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/1660-125-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1660-127-0x00000000042A0000-0x00000000042D8000-memory.dmp

memory/1660-126-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-128-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-129-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-130-0x0000000006900000-0x0000000006DFE000-memory.dmp

memory/1660-131-0x00000000068A0000-0x00000000068D4000-memory.dmp

memory/1660-132-0x00000000041E0000-0x00000000041E6000-memory.dmp

memory/1660-133-0x0000000006FB0000-0x00000000075B6000-memory.dmp

memory/1660-134-0x00000000075C0000-0x00000000076CA000-memory.dmp

memory/1660-136-0x0000000002330000-0x0000000002430000-memory.dmp

memory/1660-135-0x00000000076D0000-0x00000000076E2000-memory.dmp

memory/1660-137-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-138-0x00000000076F0000-0x000000000772E000-memory.dmp

memory/1660-139-0x0000000007780000-0x00000000077CB000-memory.dmp

memory/1660-140-0x0000000003F60000-0x0000000003F9F000-memory.dmp

memory/1660-141-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/1660-142-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1660-144-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-145-0x00000000079C0000-0x0000000007A36000-memory.dmp

memory/1660-146-0x0000000007A40000-0x0000000007AD2000-memory.dmp

memory/1660-147-0x0000000007AE0000-0x0000000007B46000-memory.dmp

memory/1660-148-0x00000000068F0000-0x0000000006900000-memory.dmp

memory/1660-149-0x0000000008440000-0x0000000008490000-memory.dmp

memory/1660-150-0x0000000008490000-0x0000000008652000-memory.dmp

memory/1660-151-0x0000000008660000-0x0000000008B8C000-memory.dmp

memory/1660-152-0x00000000068F0000-0x0000000006900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4488-168-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-170-0x00007FF95D040000-0x00007FF95D21B000-memory.dmp

memory/4488-169-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-171-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-172-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-173-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-174-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-175-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/4488-177-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/4488-182-0x00007FF95D040000-0x00007FF95D21B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2888-184-0x0000000000840000-0x0000000000ACB000-memory.dmp

memory/1300-191-0x00007FF940F70000-0x00007FF94195C000-memory.dmp

memory/1300-192-0x0000022EA6C80000-0x0000022EA6C90000-memory.dmp

memory/1300-193-0x0000022EA6C30000-0x0000022EA6C52000-memory.dmp

memory/1300-196-0x0000022EA6E10000-0x0000022EA6E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zecqjcj0.ylu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2888-207-0x0000000000840000-0x0000000000ACB000-memory.dmp

memory/1300-210-0x0000022EA6C80000-0x0000022EA6C90000-memory.dmp

memory/1300-233-0x0000022EA6C80000-0x0000022EA6C90000-memory.dmp

memory/1036-234-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2888-236-0x0000000000840000-0x0000000000ACB000-memory.dmp

memory/1300-244-0x00007FF940F70000-0x00007FF94195C000-memory.dmp

memory/1036-246-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1036-247-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-249-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-248-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-250-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-251-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-252-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-253-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-254-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-255-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-256-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-257-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-258-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-260-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-259-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-261-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-263-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-264-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-266-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-265-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-262-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-267-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-269-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-270-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-271-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-272-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-273-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-274-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/1036-275-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-278-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-281-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/32-283-0x00007FF940F70000-0x00007FF94195C000-memory.dmp

memory/1036-284-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-288-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/32-289-0x0000018445A50000-0x0000018445A60000-memory.dmp

memory/1036-285-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-290-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-293-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-294-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-292-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-295-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-296-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/1036-291-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

memory/32-287-0x0000018445A50000-0x0000018445A60000-memory.dmp

memory/1036-279-0x00000000FEF80000-0x00000000FEF90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 629b077c2a01b576b63f87aea03dea38
SHA1 be77e9a89f28a7e8125b49b9dcb241818135fa99
SHA256 058cf97157b7f2d64f488a642396df3d53786e4593bbedcaf0173dcf385c67b9
SHA512 de42779f68b04ea0ff0f2b44a5799aaedf4078f1c822a32d533a67c3eb0d188d56bd98e2c64f58a77b477f22d90a8f84d38b2ff2a657d494d3a275b04af7609d

memory/1036-344-0x0000000077D12000-0x0000000077D13000-memory.dmp

memory/32-347-0x0000018445A50000-0x0000018445A60000-memory.dmp

memory/32-403-0x00007FF940F70000-0x00007FF94195C000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4488-406-0x00007FF95D040000-0x00007FF95D21B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4488-407-0x00007FF696DA0000-0x00007FF697FC6000-memory.dmp

memory/2256-410-0x00007FF6AF470000-0x00007FF6B0696000-memory.dmp

memory/2256-412-0x00007FF95D040000-0x00007FF95D21B000-memory.dmp

memory/2888-411-0x0000000000840000-0x0000000000ACB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1968-422-0x0000000001060000-0x0000000001694000-memory.dmp

memory/1968-425-0x0000000077D14000-0x0000000077D15000-memory.dmp

memory/1660-429-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1968-430-0x0000000003140000-0x00000000031B0000-memory.dmp

memory/1968-433-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1968-435-0x0000000005C10000-0x0000000005CC2000-memory.dmp

memory/1660-434-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/1968-436-0x0000000005CC0000-0x0000000005CE2000-memory.dmp

memory/1968-432-0x00000000036B0000-0x000000000371C000-memory.dmp

memory/1968-437-0x0000000005DD0000-0x0000000006120000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Local State

MD5 62d099a88c2133371e2b191166c5813a
SHA1 f6ad9440277409f8a047ed4b06d10c0a25e7abb3
SHA256 6a6daddb4fef38f097b205ce317d5c9e53fea42cebc8967b941d8b012d711dbe
SHA512 3b2ed94c887479a371e3917338d8669e99a38ba75e89ced81ea2468abe5d62f76cc3fbfe03eac5b7ca7553d104ac80bce4296b3b47dbfe22e8aaba29d71420af

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

\??\pipe\crashpad_2300_NZRAOHFSNNHYMDIT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Local Storage\leveldb\LOG

MD5 6efc3652e56f6a1e866a63184485804f
SHA1 e80f7e4620ab23f08cf99f44fe3bb36dece3a963
SHA256 2243d5358cca89772162b1d4e86e1f622c029bf4737b6ded769031cdd91a6325
SHA512 448aa0b4f3a24f0ac9d993684796f3ca0bf7d65e6a966c8b797acd60f431af35f83efb26917eaecff2b67e2771614e8fc4590bc82eaf247bf2ab2ed74a3020a5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Local Storage\leveldb\LOG.old

MD5 349e23caf549789db0403e7bbfdeae6e
SHA1 1a0b8a7fec41ff805af769a8dbd6b3c308fcd03a
SHA256 14afc4cf02aa76280b4aab23145c9ae28577ead712e3304ae2c83b792462ebcc
SHA512 7a2af6b8aa7f81a8be631ac11b7b2a7a1d86acadf490c0e3e875e8e541e8efc46b04828e01f527935d0ddb31b091dd036567d054e030cd68c7cb462279cbca8f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 811d351aabd7b708fef7683cf5e29e15
SHA1 06fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA256 0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512 702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 302a7c179ef577c237c5418fb770fd27
SHA1 343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA256 9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512 f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3174ce13031edae92db0cf6e0c97691a
SHA1 4ff8312a1138bdef6031eac282acc68454fd6b16
SHA256 de67219c41f6f50081dbdb235c0d1b0df9a6aff87a1c0f088eafec2ef3e8542e
SHA512 ceb653d9c2f4507ff993ee49a57f25c6f593f44ea48e24a7319841c2340e825c78efb3ef74a4a4f7fb32e15ca1ade7372ea6a7c6a6f8c16568f20c0524a8ad05

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Local Storage\leveldb\LOG

MD5 266e99db939c263a2651e002c91a04a3
SHA1 76059d67ebd01fce1bb7b78bba078bd05da82872
SHA256 89db497356e900b3677c3a11c5f868bc0ea20e3f43f0be2614375f943531e8d1
SHA512 2227543484b80b806b18c029244fad6f70e1b42f8e366fdf0cda595720d14e5adac0b50b68a72e8c9b7b023f1e046ee29075f5fdf2519d123c4ccb79f144dcf2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\index

MD5 58fe7a5ae5febef5fc928a16d1977439
SHA1 205bf72ab3d274856b4220af4df17f61e1cbc96f
SHA256 7811791150bc49349b1971d985ee389ada27f3f8f6e49c97812a38d9b5371c95
SHA512 c759bc0ac411fdd359499aa543aa9f8aa2ff587413994c31b574eeabd3561fdfb7c750956bb816a9946ac608e1f005e5ecf0f8baa724dcdd870607637120ccbd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\index

MD5 399f374ce34f8399cb99f5f5bac02c62
SHA1 b6e0ead206c8161732c0167be090e2610f7d6c3a
SHA256 9834d45aa93255e277e7d5fc418f857bf8c99a1446bb6ef5fd1def34dcd513a3
SHA512 6f6ee941090371621b9ad6718f2f7bdb77d2fa301d6bfdc609acae612c4672b3ec6b86d7facfd8707a256aedc16a523e701f6acc7214bc5f668f5a0e572975e5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Code Cache\wasm\index-dir\the-real-index

MD5 bda65b080a712e782f97eedfef1922d9
SHA1 80f5962469af40cbcdd69907203f959b11c66f31
SHA256 b1c2a4c8d8d01156d9b15f355a9d107cbde092fd6d4f6ad4d188ee8b039b31db
SHA512 d4e9b5c39822783832b83c88040e675f0c1fec62eab40ea36307e4fc12ce7bf7db71579d1c0790dc15cb59113815d329151918f34c371217f62e8b16ee4dc379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Code Cache\js\index-dir\the-real-index

MD5 bda65b080a712e782f97eedfef1922d9
SHA1 80f5962469af40cbcdd69907203f959b11c66f31
SHA256 b1c2a4c8d8d01156d9b15f355a9d107cbde092fd6d4f6ad4d188ee8b039b31db
SHA512 d4e9b5c39822783832b83c88040e675f0c1fec62eab40ea36307e4fc12ce7bf7db71579d1c0790dc15cb59113815d329151918f34c371217f62e8b16ee4dc379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Cache\Cache_Data\index

MD5 3ed1c678a2fac556560c54ea7a0f2fee
SHA1 0481b612e7a95b1dd70c07c899042dcf596a0920
SHA256 f556c80fba80cea4b9bbd76180cbb9b0b29fe33440a9288732a38dde469ee2fa
SHA512 8be9367b43f90a0d1ee04e129bf53e86b7a161b487ba0cc5a51db1131a7d0fa3b0a224b5fef9bf1a8696b58ea4ad457bc41710afc81b861116756c95257124a0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Cache\Cache_Data\data_1

MD5 1663ee1068e7e47c308515c2a4ce7ec6
SHA1 9e80b44de6eb13de893e983e10c06e6b66c3d731
SHA256 68d0994088f0357205da5c29e160c296c8828e5bc039f8c11fd032eab07ec413
SHA512 eee1e6cc531cf20251147ca46ce5354be0d419640d7e86f86f1bbcee95f363ffa1226089531ac586769da7bd34c8b7da080fec12fc2e4dc860b3e84f015d47b1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Cache\Cache_Data\data_0

MD5 d1f604157b0745a40453afb93a6caa42
SHA1 3d5d77429b03674ebb0ba34d925ba1b09310df5e
SHA256 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5
SHA512 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Crashpad\settings.dat

MD5 e5fed678227ff40d655ce1a46fbc6aa1
SHA1 842d9777a97158d5c126154e72a3bb07991aa894
SHA256 05bc0b3f31a287024608c6bae2a554bc6c3a5185dcfd5c7fad95e034f400b249
SHA512 ed4dd4347a52374ace979aa67c9fe47591eecaa4c464fccd353ebca69ccf8e6a546aea37c9b06d3e6e8e46919b3b9bf3c9f2c548738015f2c76332af1fbc3140

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\DevToolsActivePort

MD5 c5967c6f458ab8e2313482fe9f39073f
SHA1 c422b9dbfb8be3b4785a3f4d8763ef5a69b407fa
SHA256 21fdb949bd0b919eafcb6949fb913ecebc77fa049035a0dc06faa2b261c0a833
SHA512 0d7c217400f0fed8803e154ec1e501c311e80c76de1e75acaa30c133c3c5ce5adcaef43e4db7300b14f12e3cd74fed9bcaeec4a02d953214c423c538abeb8353

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataMKJRV\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6d374200715edd4a873baaff8043354
SHA1 35152a329b15087fad5f8da6b174bf4225fba6d5
SHA256 cb1383da4722bd75b1b5b3b156d8dd1249d4df8a58fac413fe5117b4dd8eae52
SHA512 e17856cde5052803e66943338c700319f6e3c3249a59cddb8ded399bc6dd219b51466c6cd06f9d654a2aa5f6d15e9a86b70e44e90b1a70699f7f142064a42c0e