Malware Analysis Report

2025-01-18 08:17

Sample ID 230810-wer7jsga43
Target fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995
SHA256 fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995

Threat Level: Known bad

The file fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995 was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 17:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 17:50

Reported

2023-08-10 17:53

Platform

win10-20230703-en

Max time kernel

119s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2548 set thread context of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4268 set thread context of 4008 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4268 set thread context of 3720 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3276 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3276 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2660 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2660 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3652 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 4944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 308 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 308 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3652 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2756 wrote to memory of 4356 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 4356 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 3572 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 3436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2756 wrote to memory of 3436 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3276 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3276 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3276 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2548 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4552 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 3860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 3860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4552 wrote to memory of 168 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4448 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4448 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4268 wrote to memory of 4008 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 4268 wrote to memory of 3720 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 4548 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe

"C:\Users\Admin\AppData\Local\Temp\fd64ca492cd7181e02bebe0d9b3b1c5616af08c7c1e1a7cc4e22ab41246c3995.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#sbqlommrhqchqvgxbcuu#> powershell <#sbqlommrhqchqvgxbcuu#> -Verb <#sbqlommrhqchqvgxbcuu#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=10707 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffb19d59758,0x7ffb19d59768,0x7ffb19d59778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1136 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1544 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=10707 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1876 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10707 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10707 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:23 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:23 /f /tn GoogleUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10707 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3008 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10707 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3144 --field-trial-handle=1376,i,10730583884579402712,3168863134926366821,131072 --disable-features=PaintHolding /prefetch:1

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:80 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp

Files

memory/3276-118-0x0000000002470000-0x0000000002570000-memory.dmp

memory/3276-119-0x0000000003F10000-0x0000000003F4F000-memory.dmp

memory/3276-120-0x00000000041C0000-0x00000000041F8000-memory.dmp

memory/3276-121-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/3276-122-0x0000000004350000-0x0000000004360000-memory.dmp

memory/3276-123-0x0000000006A00000-0x0000000006EFE000-memory.dmp

memory/3276-124-0x00000000042B0000-0x00000000042E4000-memory.dmp

memory/3276-125-0x0000000004330000-0x0000000004336000-memory.dmp

memory/3276-126-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/3276-127-0x0000000007000000-0x0000000007606000-memory.dmp

memory/3276-128-0x0000000007610000-0x000000000771A000-memory.dmp

memory/3276-129-0x0000000004450000-0x0000000004462000-memory.dmp

memory/3276-130-0x0000000004470000-0x00000000044AE000-memory.dmp

memory/3276-131-0x0000000007780000-0x00000000077CB000-memory.dmp

memory/3276-132-0x0000000002470000-0x0000000002570000-memory.dmp

memory/3276-133-0x0000000003F10000-0x0000000003F4F000-memory.dmp

memory/3276-134-0x0000000000400000-0x00000000022FF000-memory.dmp

memory/3276-136-0x00000000079C0000-0x0000000007A36000-memory.dmp

memory/3276-137-0x0000000007A40000-0x0000000007AD2000-memory.dmp

memory/3276-138-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/3276-139-0x0000000007AE0000-0x0000000007B46000-memory.dmp

memory/3276-140-0x0000000008340000-0x0000000008390000-memory.dmp

memory/3276-141-0x00000000083A0000-0x0000000008562000-memory.dmp

memory/3276-142-0x0000000008580000-0x0000000008AAC000-memory.dmp

memory/3276-143-0x0000000004350000-0x0000000004360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4892-160-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-159-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-161-0x00007FFB27160000-0x00007FFB2733B000-memory.dmp

memory/4892-162-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-163-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-164-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-165-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-166-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-168-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-169-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-171-0x00007FFB27160000-0x00007FFB2733B000-memory.dmp

memory/428-177-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

memory/428-178-0x000002D1AF7C0000-0x000002D1AF7D0000-memory.dmp

memory/428-176-0x000002D1AF900000-0x000002D1AF922000-memory.dmp

memory/428-179-0x000002D1AF7C0000-0x000002D1AF7D0000-memory.dmp

memory/428-182-0x000002D1C8010000-0x000002D1C8086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqwauvea.12w.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/428-195-0x000002D1AF7C0000-0x000002D1AF7D0000-memory.dmp

memory/428-218-0x000002D1AF7C0000-0x000002D1AF7D0000-memory.dmp

memory/428-222-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/4892-226-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4100-230-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

memory/4100-232-0x000001B73D700000-0x000001B73D710000-memory.dmp

memory/4100-231-0x000001B73D700000-0x000001B73D710000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ddc883a2c282f85269b719112bae397e
SHA1 49b2323fe97d9cff247375bbcb9957cff44e7930
SHA256 62169aa84d4d2914e251418d31904bfb0c3dec7529a68f2ef8bb7a7b371ddb5f
SHA512 1c3b213497447f813cf9242be6514317ba2a719380a0995b5058443ee52139df1e779cb73832d429dfbc6ba0c519a9fdfe1f5e6bc72bb116a2cb3b7a465a2ccc

memory/4100-248-0x000001B73D700000-0x000001B73D710000-memory.dmp

memory/4100-269-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4892-271-0x00007FF63E9E0000-0x00007FF63FC06000-memory.dmp

memory/4892-272-0x00007FFB27160000-0x00007FFB2733B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4268-274-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-275-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-276-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-278-0x00007FFB27160000-0x00007FFB2733B000-memory.dmp

memory/4268-279-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-280-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-281-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4268-282-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2548-288-0x0000000000C80000-0x0000000000F0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/4268-289-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/4548-291-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2548-298-0x0000000000C80000-0x0000000000F0B000-memory.dmp

memory/4548-299-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4548-300-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-301-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-303-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-302-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-304-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-305-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-306-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-307-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-308-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-309-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-310-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-311-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-312-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-313-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-314-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-315-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-316-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-317-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-318-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-319-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-320-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-321-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-322-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-323-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-324-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-325-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-326-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-327-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-328-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-329-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-330-0x00000000FF2F0000-0x00000000FF300000-memory.dmp

memory/4548-368-0x0000000077AD2000-0x0000000077AD3000-memory.dmp

memory/4268-408-0x00007FF71DB60000-0x00007FF71ED86000-memory.dmp

memory/3544-414-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

memory/3544-416-0x000001407B220000-0x000001407B230000-memory.dmp

memory/3544-418-0x000001407B220000-0x000001407B230000-memory.dmp

memory/4268-417-0x00007FFB27160000-0x00007FFB2733B000-memory.dmp

memory/2548-433-0x0000000000C80000-0x0000000000F0B000-memory.dmp

memory/3544-438-0x00007FF7490F0000-0x00007FF749100000-memory.dmp

memory/3544-439-0x000001407B1A0000-0x000001407B1BC000-memory.dmp

memory/3544-445-0x000001407B4B0000-0x000001407B569000-memory.dmp

memory/3544-478-0x000001407B1C0000-0x000001407B1CA000-memory.dmp

memory/3544-535-0x000001407B220000-0x000001407B230000-memory.dmp

memory/3544-536-0x000001407B220000-0x000001407B230000-memory.dmp

memory/3544-569-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 811d351aabd7b708fef7683cf5e29e15
SHA1 06fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA256 0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512 702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

memory/3104-577-0x00007FFB0AEE0000-0x00007FFB0B8CC000-memory.dmp

memory/3104-579-0x000001B043F30000-0x000001B043F40000-memory.dmp

memory/3104-581-0x000001B043F30000-0x000001B043F40000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 302a7c179ef577c237c5418fb770fd27
SHA1 343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA256 9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512 f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f088cacedd0e540517a04f285dec8d40
SHA1 86b01c0729811aab9aec55be2d1cf58d0bf03d58
SHA256 87adfca47ea6e00b11d20df68b4024d461cbde6baa8d5ebbe78f6797466bec7b
SHA512 4ead65d37e9c36bd32b723c56f11e97c5a73be13e6c2456f60d7751817d2b1b90e8d98bcb8f509362debd692000f0a07ef8765eb2f55e8b171b37a19997853c5

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Local State

MD5 435e82c99fd2afadfb9528f0e565bf60
SHA1 3be0a7f91099673129a2e953f771ca5e8204237c
SHA256 4a2df41814240f15fc9637cc6ab3d1b0b0c365101d6b491c6d42169e6c33d729
SHA512 48dcc771dc2c661bbdebde368b3eb36e24ce08d68aa9d55d0cd274ba9f87c73d86b44634db735886fb6013437ce0aaade7e53d7618c7274e5574c7a459d4c92c

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

\??\pipe\crashpad_664_KBMHBCDBNROWSICN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Default\Local Storage\leveldb\LOG

MD5 71904820abdc05276420f6ca704a101f
SHA1 9a6627d6091c41ff8e7aaed11653a6cc27134c28
SHA256 d82d1b8cf0bd92819e79c4011be11cd8ab8e69985c41bab07d960efa5b4820e1
SHA512 0fa891c405557cf4b37c67fc2255ee464a03933ad2127e97042268978212e5bd7cd936f81de2f1cf1b9cb148f31a86f845b09892faf4fe368eba3e6d37d9485b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Default\Local Storage\leveldb\LOG.old

MD5 3926d338e726e617b387d6740a3a6956
SHA1 ca06305346d739aa982676623fef57b66f2c09c5
SHA256 e47b24f282f298a3979571ec722445eee8fc32bcefbf4f823b742efdf031ee06
SHA512 68da1771256f74d4774ebc8204311a4119e44643a65fd495d27f0d4fedb056bc80d1cedb08cd996bde1e9b33b65ed55e081985488de33f48d18eaa5938a085b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee5987c4039955f8715b04e63532e24f
SHA1 1b73b601b323e80dc326d8fc0ca592e300a201af
SHA256 d81d8db5ce6fbb676f4c61996f9e6591dc8ba953b4a6ac43fd91b656a5ac898f
SHA512 346eeed11ca158bbbdc357721bf539c8147781dac9a168bfc4befcd81fd396bdb185f2ea25c2522e9d426f6043da0695d962217f119cd5e62dc5d648bf75b973

C:\Users\Admin\AppData\Local\Google\Chrome\User DataRIX17\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73