Malware Analysis Report

2025-01-18 08:00

Sample ID 230812-kl1aysah84
Target d5fbc84f128e2f19c3ec80b201475c3a.exe
SHA256 246580aed9d35564ddba5061b5ce2293a7daadd4f4dc4e8ec393130eea2a3469
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

246580aed9d35564ddba5061b5ce2293a7daadd4f4dc4e8ec393130eea2a3469

Threat Level: Known bad

The file d5fbc84f128e2f19c3ec80b201475c3a.exe was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Themida packer

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 08:42

Reported

2023-08-12 08:44

Platform

win7-20230712-en

Max time kernel

67s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1804 created 1220 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1804 created 1220 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1804 created 1220 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1804 created 1220 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1144 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1084 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1084 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1084 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1084 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1144 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1144 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1144 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1144 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1144 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2460 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2460 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2460 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 2044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 2044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 2044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2924 wrote to memory of 876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe

"C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=33677 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef1e99758,0x7fef1e99768,0x7fef1e99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=816 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1236 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=33677 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1520 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=33677 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1784 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {61B71C30-E7B6-400B-AD56-FDE4FFE5D734} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=33677 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2436 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=33677 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2572 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=33677 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2672 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=33677 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1788 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2708 --field-trial-handle=924,i,12577765911935457771,7782039308872704896,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 youtube.com udp
DE 172.217.23.206:443 apis.google.com tcp
NL 216.58.214.14:443 youtube.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/1144-53-0x0000000000220000-0x0000000000249000-memory.dmp

memory/1144-54-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1144-55-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/1144-56-0x00000000033A0000-0x00000000033D8000-memory.dmp

memory/1144-57-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/1144-58-0x00000000033F0000-0x0000000003430000-memory.dmp

memory/1144-59-0x00000000033F0000-0x0000000003430000-memory.dmp

memory/1144-60-0x00000000033F0000-0x0000000003430000-memory.dmp

memory/1144-61-0x0000000003430000-0x0000000003464000-memory.dmp

memory/1144-62-0x0000000003460000-0x0000000003466000-memory.dmp

memory/1144-63-0x00000000033F0000-0x0000000003430000-memory.dmp

memory/1144-64-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/1144-65-0x0000000000220000-0x0000000000249000-memory.dmp

memory/1144-66-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1144-67-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/1144-68-0x00000000033F0000-0x0000000003430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC544.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarC805.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd9114330a2b1192234b4ea55bb4c9ac
SHA1 e9fdd1b2cdfbf1ae597f72f2ef7dea5690614f25
SHA256 38d131bd63ad4eb5024f9bdb84ff16e1d29d2cc646682adbac79b97ea43ee4cb
SHA512 579dceaaa5d7d44a59d8421fdaaebdf74080ca145b3df1055707e0fff1a671387f89b4530dd008dd4003bb4c77abe27a7c7de38bb7ea742fd8492864d4dc3ae7

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1084-147-0x0000000004390000-0x00000000055F5000-memory.dmp

memory/1804-149-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/1804-151-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1804-150-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/1804-152-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/1804-154-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/1804-155-0x000000013F0B0000-0x0000000140315000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1144-159-0x000000000DB40000-0x000000000DDCB000-memory.dmp

memory/1804-156-0x000000013F0B0000-0x0000000140315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1804-160-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/2332-166-0x0000000000D30000-0x0000000000FBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1144-169-0x000000000DB40000-0x000000000E174000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1804-171-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/2460-174-0x0000000001200000-0x0000000001834000-memory.dmp

memory/1144-173-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/536-175-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2460-176-0x0000000077750000-0x0000000077752000-memory.dmp

memory/536-177-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2460-181-0x0000000001200000-0x0000000001834000-memory.dmp

memory/1144-183-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/1084-186-0x0000000004390000-0x00000000055F5000-memory.dmp

memory/536-187-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2460-189-0x00000000001F0000-0x0000000000260000-memory.dmp

memory/536-190-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1804-193-0x0000000077560000-0x0000000077709000-memory.dmp

memory/2460-194-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2460-196-0x00000000032C0000-0x0000000003300000-memory.dmp

memory/2460-197-0x00000000032C0000-0x0000000003300000-memory.dmp

memory/2460-198-0x00000000032C0000-0x0000000003300000-memory.dmp

memory/2460-195-0x0000000001170000-0x00000000011DC000-memory.dmp

memory/536-199-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2460-200-0x00000000032C0000-0x0000000003300000-memory.dmp

memory/2460-201-0x0000000003370000-0x0000000003422000-memory.dmp

memory/2460-202-0x0000000001200000-0x0000000001834000-memory.dmp

memory/536-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-220-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-227-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-228-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-229-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-230-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-232-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-233-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-235-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-236-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-237-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-238-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-239-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-240-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/536-241-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1804-231-0x000000013F0B0000-0x0000000140315000-memory.dmp

memory/536-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2332-206-0x0000000000D30000-0x0000000000FBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/536-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2036-290-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/2036-294-0x0000000001F00000-0x0000000001F08000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/2036-319-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2036-320-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/536-322-0x000000007775F000-0x0000000077760000-memory.dmp

memory/2036-323-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2036-321-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2036-324-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/2036-325-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2036-327-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Local State

MD5 7524897c0270ea828d3bebf83f53d223
SHA1 46e58fd7b5c3046f22f03ae8c55d13b572189d23
SHA256 9d778d23636b2c5a34dfc1347b89ba3ac81521392bc33f10b3889c007cbea131
SHA512 c887febe78856b17b0772581d7a9d1018de0d96c25043e84556f519b05efc15ab37d2cdb6558b23592d4389666aa41fb0434c059270254cc7e139a468c36df50

memory/2460-328-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2460-329-0x00000000032C0000-0x0000000003300000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Local Storage\leveldb\LOG

MD5 9a2fe94e34e6613d756983965fb9d5d9
SHA1 3b0dc425c76967df14f4f2ca7e032a4432983ff2
SHA256 cd9b1e537a3dd45fcefceac2e8ac40d63886a00630ad82eeb77c1fb97cc0a3b0
SHA512 4b3c478513e7d7ae0986ebfcf82f41e6cbc5cc7787d3023be73d9762c2c356d53dc734f05c498ac52dc1ee9275d1ee2bc91c8960f915d491ccebb6b213921dee

\??\pipe\crashpad_2924_UEYDHWDFDOKSHFSP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Local Storage\leveldb\LOG.old

MD5 aeb305dee71328cb61750cc5b7cb5b30
SHA1 c4c70d01d2ebf27351faea2ce0ba9de97aa96700
SHA256 7dcb361e8c0d183772d7f188703853c588526fff9adca6398649ba03ec9eaa96
SHA512 f9fddc20b8d7eaf3e615efdcf31fee402aea9996241da117796303a9ac7de5557ecfb3c4af31efe4a71ad72e004d5a17978f061d7b1f117aeb2732d788574be4

memory/2460-356-0x00000000032C0000-0x0000000003300000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/2460-380-0x00000000032C0000-0x0000000003300000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 4ca9dc54c241771c0a7d76a499af1e5a
SHA1 6962222aa0898076ec5909dfc61c7fe77749eada
SHA256 9436a4775a920dc7d3ddd58969285d1679b1fb59e22f6e7cf42828b67f5fa193
SHA512 2c4ca9bd210e21cc6378bcbb976d2c53fe4fbfe3bdc69152510ec9b376748b289c15b47a83f42a82ca8b1f780c8cdcfd51dc9e44817b8178ffeeca6656e825d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UANGTJYVWLO3S4VNICR.temp

MD5 4ca9dc54c241771c0a7d76a499af1e5a
SHA1 6962222aa0898076ec5909dfc61c7fe77749eada
SHA256 9436a4775a920dc7d3ddd58969285d1679b1fb59e22f6e7cf42828b67f5fa193
SHA512 2c4ca9bd210e21cc6378bcbb976d2c53fe4fbfe3bdc69152510ec9b376748b289c15b47a83f42a82ca8b1f780c8cdcfd51dc9e44817b8178ffeeca6656e825d7

memory/1424-388-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

memory/1424-389-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

memory/2460-387-0x00000000032C0000-0x0000000003300000-memory.dmp

memory/1424-390-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/1424-391-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

memory/1424-394-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/1424-393-0x0000000002460000-0x0000000002468000-memory.dmp

memory/1424-392-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/1424-395-0x0000000002820000-0x00000000028A0000-memory.dmp

memory/2460-398-0x0000000002D70000-0x0000000002DB2000-memory.dmp

memory/1424-399-0x000007FEF41C0000-0x000007FEF4B5D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1804-412-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1804-411-0x000000013F0B0000-0x0000000140315000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Session Storage\CURRENT~RFf7798f5.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1624-494-0x000000013FBF0000-0x0000000140E55000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/2572-498-0x0000000077560000-0x0000000077709000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0c371dd1-a67d-4ee3-ba8d-1dc975dcd2a3\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Service Worker\Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 59b85de18e83ffb3f3b06a304b4b04aa
SHA1 82556da571a59ded74d436cb876f997ce6922c01
SHA256 e39db8febfede71e59eb99877003b401b8a1d20b69eedc80eb2862c8bd8c86cd
SHA512 457f8d4036dd348cc7a3b502515f3f940e636f247b31909c37881380376dbac48739334c5bea5402d79308ece8779114c3e0fae22ab4f8bf505e2079b054ffc3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\DevToolsActivePort

MD5 341a92738aab6f13990bf4b7398c9472
SHA1 ce80e529e4de7b8d03138069281b8fc37648d042
SHA256 a34ad557b2f4cdbc8438583d6590cd99ddf2fdf7e38c3329a127538703d741d0
SHA512 30a5967b063090f175d8d6cb8c1fc502d1c99271ce98f2cd65cd8c4328e7a8313be27fa591aa3ed31789c957f80f5e41d2438705df68a6b884ee2e3d79a8ce96

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Crashpad\settings.dat

MD5 b285b44f3752d32a22dc685e826df6a8
SHA1 6dadfbfde77b84e43f7c2ba2d552ed6aa52f34ad
SHA256 84079406148bada4ba1a7c64500daeb5f0356e85da8311ee7014df654ebecc3d
SHA512 c2dcf26a960fc5bd958c564a0bd73929649349fb42adc85961cc131dc244b3df59c8eafeb3b8619be29c4479412455b3b36ca08844f0b7b7bfd39d75565a7484

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\chrome_debug.log

MD5 b58edb33c0362164a1521fa9f15da4ce
SHA1 9fdb6f8a8e7a3ac022f1bf4b1f2635951545c5a3
SHA256 edbbdf2128c8181bcc270d652481ad22d7e38a0f8f38c845efcf5f6e4195f86a
SHA512 e78ffbd71c06a83f0e95ebbcb71cf913e8ee691a46e1b186d9385d13db806134bf7bc82b1f5df08fa3e11814202fbad50a9812251557018805aa710c8896e68d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\data_2

MD5 c79389b80ae7bb782f87660b608ffbff
SHA1 c188cd143fbaef845701af5498fc480d27e08894
SHA256 e6e76f92097a4a0c77b4e78a3b7322e711f50ac274ab1760f95d0141c762950f
SHA512 41c37f669449d56a33497789df489a4f16c1532c804e08bb3d07076adee34a2cef99693abd9bb2137e6fc4c111c3ca7316bb546d7e40acc11cb6da47b0258ecb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\data_1

MD5 828b338584e71082a584542854f908dd
SHA1 ae2ead57c0b5dcb8205f45cd8dcda204318321e2
SHA256 070eb9900e09fbfaf13e42b0f6c8b456e4322c3e03d64417290c61d0828a7294
SHA512 de176cced11bfe3abef7795d7772561ab66f4668be02df1e93ad1a3e660bf321bc4d00eeb93309f800595157f2477931bddeca16a5f3489a8fa01680d5814d65

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\data_0

MD5 5851f63726e44efbcbd021d1655d6379
SHA1 22db87fa4a0a6b173746618d9b3e38b85fe073e7
SHA256 2cf36e03244046d9f69a49cae008c89a553faf8eeacdc8d65e883c31dcac021f
SHA512 7421224979e464e51925e9008a29be1a9f81133277efd2658127d8af9a48f06ee7b59e4836c663e0b2a0d11232c7b2f7a5c807d519447f738252263502332501

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\data_3

MD5 338a902f60d81ccb1626edd916b01607
SHA1 60b5320cbebe52ef73fd8b413e28b05c958c2c53
SHA256 c425ab7e78b573c659d0c4538bd83176acdbb40b7efae21d2eb90321b4f1ea1a
SHA512 5a7c8f38a18770cb92c86e86dd32615f2377b078b39ffa27e5aac2ac92db1006c43c3254867ae8329f4e4edcf25fe667889f1eb43db74a59964f73f32c941042

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000002

MD5 89bd1cc56a2b765b6d507a80f4769ef2
SHA1 9dea94b8789e0cd1c129f2d45b355ce1aa6c4391
SHA256 9df744be431283975fab9b36c9c7dc147307a04650ccfd0ae2caa45c7790d1f0
SHA512 9aaedd1d597eff124e6b15aa66d3234ad1b8c4bfc2f341588c936477cc40d78639c0ac510c16f0dc3091395e852d96f6fb1ad1360d9eba5564f6aafed35781b4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000003

MD5 01af703c52ac5a93685bb3911d6918f1
SHA1 cbb1279745c1c2208fb9b8606e3d3513cd5dc3e7
SHA256 75ecbede729daef7531a6e43dcaf82afd1ac691c5a993231ddbe40254bf01653
SHA512 fbf1f2a3180f001cab1a860425f750010d6932479b343d5848ee0a78e03e29a46a123ee0103560d87df32daa3f6878cde07927e11e0615ad8e3c8e1568b942c6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000004

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000005

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000006

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000007

MD5 b096dc9a3e4e6748a91abe826cf5d165
SHA1 b115fd9390e39b86a711039745cbad73741d7252
SHA256 7552567793d51609afaac7d5e1b3d2289f1a64a323a84c74c28fe615075e1c3f
SHA512 c075f36473b578f645ab66f1800d6e0a61b66719361c8c730ccb4505c1ab127ce96d5409c0c82aeddbc2bd03bef6c7a905310e4462ac7a0ebb2e07b45cf33a94

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000008

MD5 5641d2e6eb6f88f5c306ef14bcda7513
SHA1 1714fcfbf63fc8d860c0edb99ca221ac99194f07
SHA256 d573a0546fac381049946c0b0bdad4c42d2e60b572b79ed8c41e51894d9ef1ab
SHA512 2f4d2220ce860110fb6ad9b438b05d43551577f93f45bc97f56aa80c89e1a369734b64c190335a9df1963c547a5b607c5f8e3e229da906a36ff6f96d387a1774

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_00000a

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_00000b

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_00000c

MD5 7db3096a5ce269d5140afbedb84e0fb7
SHA1 1155014e26835855c4177e8916b0bbcd5e4cca61
SHA256 48662b9313a828746c1ba3edfa196d8ecd6b0ca730848ead5418fcde8da4a809
SHA512 a349f3265db5ebff9e535778ccc92bc846fa9a4175dbf4d9c0e5b77d294ae521eca5f104d45f0eab0bba88120a08103ce997a420ecace703e211796e842ca7dc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_00000d

MD5 f8c9f2858571ec867105195b39e8ce50
SHA1 e166514e0e8ab4c7d15ead2bdec1d149c6ceeefd
SHA256 892f19d4155bf339d5d67fb21a10e95ac2fd2a3fc22dabb6d6c6e57a04675822
SHA512 6aa0da1cf88fd789be4ac27d4ffcae50fe7d91bce133f27fa0fbcfd4185020bf791e133482810acee40be21947b0f972e5778551badb87dec1add6cd9097ec5e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\f_00000e

MD5 250bdff8769a9791656b1475a293c486
SHA1 31ccb16008e78db499d1cc68cff74ebf1979f1a1
SHA256 aca7dc1db7b861fa7c839ae3c537ed48b098ffedc1151c0fb95e744af1cb7738
SHA512 ba37f07adc32644e34700559f11a654a7862787ab1bb5bd53040c42b16a80f336823dca61e202a07130ad0845335b2d92b404567eded9619b4569d1b544ebcf2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Cache\Cache_Data\index

MD5 ef3ee6ae394a9262ceb028ec7366d0da
SHA1 b8e4bd8cb5ccec30dc7ee7217fbbeadc9f92d2eb
SHA256 1df50d99a9d81af968d4eaf2c7edaea2bf2ace063117de3b48d154cf6a1668e3
SHA512 0b5285781f430caaf41842a1e82cd8400dae1910827643123841d515270c16b9d2114f53816351ed139460aba342236e712fd9424e7a0f024d56b4ca727bda6d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\8c5f3f8b8b33bf79_0

MD5 280b19e8f5248f8e01d06fe344e2fcc8
SHA1 73d59204b52c00167087c2db2c75d220d9687079
SHA256 49a6533b021d539c6123d5c9628662ba4df7c7ed482e25172e6938f974982ec4
SHA512 021ce3f5dd03bf7d239d3276b9fee5969ffe480f19264f2057ed7328e903bdc0bf977c78978db35645e053fddeb2916518604479f85e4a1a19626e2c215c03e7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\6f0a29a94891d082_0

MD5 12fecc1eacb08e5664e13d649fe37370
SHA1 66267b58f8667872297de635891ff55bea8dd2b9
SHA256 b24c17b73b35aaac7db7643dfd73f8755b801a3f1ad1c3b8dea0ce826ab75f3e
SHA512 d5d35671687d0f50039493ca14120fcb28a26a7d9f851a8a3c1bdd2be9753b826087fb22320816ef972cbe05bbce31714a0c36d795f9513abddb9d9c71df64fe

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\6cbc2f6958aacea5_0

MD5 cf0a4394e0eaec96e1287a4ff7edf553
SHA1 b452f3b3a2aa3b2d917086289d397df40105f3b4
SHA256 ec1a492d304552d52c9c30f8e8c759ef32792c426eb67c8230240d18e0ff8075
SHA512 9a4f7797eabbb523c932ead470e5e65506559fdbda450cebe16ce93348fdb0d635220c1be628d6c3b2af439500b3f64bf92dce6edb881fd2790282686fcddccc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 0534cbb666deb9a86563803467a6ee8d
SHA1 407e57f74bd42e71db5d3f8c3db1bb763203000a
SHA256 fbc7a3da41060033d88c808d19f6f828c71da3e83dc755ec78101f8513c55ab6
SHA512 255e9802f24a551861c37fc5c8cac7f2b14c9cc0c155c6ae5898e38c9e1b663c2b6e0b6625a912ede995b780e025bd03d1cead85acec7561f5e8ea9749f1956d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\5b76df05a935e848_0

MD5 7ca7e36419b5e41d6d052d66fbbf4178
SHA1 0f7159bd7b3e55dc003ad06fe38ff055d7164e4f
SHA256 82f8ccfbcf32ae6c4c12f8e84818ba1e08f91a66c2e64a67bd8bd15f6062d479
SHA512 1d31fc4dc9648af7448729383fb46c7aeb59a75a7a26f6eb20bc9d5d2cae0927f3ea7645fd853c79f53c68de106d93c63b30758770674d66a63d67ddbd4cd0f3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\4ba437eb0c2cc66d_0

MD5 f70cebec754330ec1632d760f5f07f6d
SHA1 d590c38e965ca875256bf91e4a636c05d829b295
SHA256 2087792e89e38adad133e9465f8ebd42cd2779d887d02432360d1f86fdbc0864
SHA512 771040c6aff82380fb236ecd22ec706419fa624937e78c29f7e21f0160b7fce6bdeb0fd4e007ffbca9708864e287c068a438ea3a63b6d98d61e544a766cd6744

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\343f6993e27f1d39_0

MD5 50a1e9de3caa753e2fcea0ed3fe39f3c
SHA1 8be1ecd154fefe8c4e96334b55a5dadeb528a985
SHA256 bde3c41491858555bb2316d2bccf706a31ba02c612326af98f410cca4cf11074
SHA512 16363a828db0ed5698cad7ef4a2b5f40c14ba5298bfa894025e9a975f4e0ad526c74af97d8f5491eba6c79341712975a5d3f35556bbef498ed2a3be1dbbc5f0f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 6b246446a3d9c06e5ad8194731b69a40
SHA1 2cc13ecf0bc3aafa0c8a0f47eeb22cbb6550bd9f
SHA256 d06478f2441d8d6bf3e6dd1ae314d1e2740b804156057b2aa9c7ba94e33abcbf
SHA512 4f212883b048e86d6e927146beaca62efe89c04c04b22c0fdac4ea47f1708426bb17978f4d10fa8144eca07564d07ea3da0e6af4066890a875e9b28150e5307b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\2016c72aa5f54f52_0

MD5 5c37c243a8727843f69a81323e780e44
SHA1 1f8b8df3d031dde9404211504123950dba045bb7
SHA256 8434b1aefc99ccfc746a2f35775f0d8df86303ded2da6f2b92c69d88e4352836
SHA512 8c59c001235ec40c86f47989a21d6dfa8adaaf7eb39ad1ba63f1745231da082838710102bc4b1d614129037aab4bac683fab722e8253ddbc65650c9dca289d03

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\10e544c7a72e2f65_0

MD5 60dd66838a6448a44529e64c614c98b8
SHA1 688e248a215288b256abf744e671bdb88505a33d
SHA256 6afc74137d778773ac9499ce4f68644fc7996e171811c5b7c2ea01c227c2b9e8
SHA512 741fa67ee9a8cb43ba8f18ba638fd8463b7317eb61a22302e0ac3f34d11bfd98125a9dc5dc163b93f2c48ce4ccab74f8ef2cb6453dd625534a39440d4e77d84b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataUFORZ\Default\Code Cache\js\06db5837b6c74111_0

MD5 81fecb018281887b158f55b8573efa46
SHA1 9161921ed04b60435ec18611123892360261b1b3
SHA256 9cd5e91697d4caae3e2f6bb13391cc6b5a753dd3b19ef5ef215f73641d1a597c
SHA512 80d389fc3211c41231b0082d291aae29dbf84651fddd1190f9713be14c436057ccaf04aea8e32cbf39e807f5c03f1bb75cfa9789d964bfb4072544425b281810

memory/2572-705-0x000000013FBF0000-0x0000000140E55000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 08:42

Reported

2023-08-12 08:44

Platform

win10v2004-20230703-en

Max time kernel

125s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe

"C:\Users\Admin\AppData\Local\Temp\d5fbc84f128e2f19c3ec80b201475c3a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 724 -ip 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1296

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.130.241.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/724-133-0x0000000001A80000-0x0000000001AA9000-memory.dmp

memory/724-134-0x0000000003660000-0x000000000369F000-memory.dmp

memory/724-135-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/724-136-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/724-137-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-140-0x0000000006070000-0x0000000006614000-memory.dmp

memory/724-139-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-141-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-138-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/724-142-0x0000000006810000-0x0000000006E28000-memory.dmp

memory/724-143-0x0000000006E30000-0x0000000006F3A000-memory.dmp

memory/724-144-0x0000000001A80000-0x0000000001AA9000-memory.dmp

memory/724-145-0x0000000006F40000-0x0000000006F52000-memory.dmp

memory/724-146-0x0000000006F60000-0x0000000006F9C000-memory.dmp

memory/724-147-0x0000000003660000-0x000000000369F000-memory.dmp

memory/724-148-0x0000000074A30000-0x00000000751E0000-memory.dmp

memory/724-149-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-150-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-151-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-153-0x0000000007150000-0x00000000071C6000-memory.dmp

memory/724-154-0x00000000071D0000-0x0000000007262000-memory.dmp

memory/724-155-0x0000000007370000-0x00000000073D6000-memory.dmp

memory/724-156-0x0000000007BE0000-0x0000000007DA2000-memory.dmp

memory/724-157-0x0000000007DD0000-0x00000000082FC000-memory.dmp

memory/724-158-0x0000000006020000-0x0000000006030000-memory.dmp

memory/724-159-0x0000000008540000-0x0000000008590000-memory.dmp

memory/724-161-0x0000000000400000-0x00000000018D1000-memory.dmp

memory/724-163-0x0000000074A30000-0x00000000751E0000-memory.dmp