Malware Analysis Report

2025-01-18 08:00

Sample ID 230812-tk9yfacd23
Target 4744-320-0x00000000036E0000-0x0000000003714000-memory.dmp
SHA256 015c6d85a301f2213b33781b1ede832643b41f8cc3437abff3fcc8b68229de75
Tags
logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer evasion persistence themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

015c6d85a301f2213b33781b1ede832643b41f8cc3437abff3fcc8b68229de75

Threat Level: Known bad

The file 4744-320-0x00000000036E0000-0x0000000003714000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer evasion persistence themida

Redline family

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Themida packer

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 16:08

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 16:08

Reported

2023-08-12 16:10

Platform

win7-20230712-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/1964-54-0x0000000000380000-0x00000000003B4000-memory.dmp

memory/1964-55-0x00000000745F0000-0x0000000074CDE000-memory.dmp

memory/1964-56-0x0000000000200000-0x0000000000206000-memory.dmp

memory/1964-57-0x0000000000500000-0x0000000000540000-memory.dmp

memory/1964-58-0x00000000745F0000-0x0000000074CDE000-memory.dmp

memory/1964-59-0x0000000000500000-0x0000000000540000-memory.dmp

memory/1964-60-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 16:08

Reported

2023-08-12 16:10

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4232 set thread context of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 568 set thread context of 888 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 568 set thread context of 1336 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2680 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2680 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1264 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1264 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2680 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2680 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2680 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4232 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4232 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2680 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2680 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2680 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4692 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 3996 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 1796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 1796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4036 wrote to memory of 856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\4744-320-0x00000000036E0000-0x0000000003714000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 284

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbf6899758,0x7ffbf6899768,0x7ffbf6899778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=36410 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1392 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1676 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=36410 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2024 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=36410 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2416 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=36410 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2616 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=36410 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3188 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=36410 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3324 --field-trial-handle=1504,i,17681361176464413995,10713861120992830513,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbf67546f8,0x7ffbf6754708,0x7ffbf6754718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=49799 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1460 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1864 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49799 --allow-pre-commit-input --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1980 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#xdjvgrjdoekfeem#> powershell <#xdjvgrjdoekfeem#> -Verb <#xdjvgrjdoekfeem#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49799 --allow-pre-commit-input --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49799 --allow-pre-commit-input --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49799 --allow-pre-commit-input --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49799 --allow-pre-commit-input --field-trial-handle=1132,6142515358306156360,646122353515983656,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3144 /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 12:31 /f /tn WindowsSecurityUpdate_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 12:31 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.132.241.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
N/A 127.0.0.1:36410 tcp
N/A 127.0.0.1:36410 tcp
N/A 127.0.0.1:36410 tcp
N/A 127.0.0.1:36410 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:80 pastebin.com tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
N/A 127.0.0.1:49799 tcp
N/A 127.0.0.1:49799 tcp
N/A 127.0.0.1:49799 tcp
N/A 127.0.0.1:49799 tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/2680-136-0x0000000000790000-0x00000000007C4000-memory.dmp

memory/2680-137-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/2680-138-0x00000000058C0000-0x0000000005ED8000-memory.dmp

memory/2680-139-0x00000000053B0000-0x00000000054BA000-memory.dmp

memory/2680-141-0x0000000002B80000-0x0000000002B90000-memory.dmp

memory/2680-140-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/2680-142-0x00000000052E0000-0x000000000531C000-memory.dmp

memory/2680-143-0x00000000056E0000-0x0000000005756000-memory.dmp

memory/2680-144-0x0000000005800000-0x0000000005892000-memory.dmp

memory/2680-145-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/2680-146-0x0000000006980000-0x0000000006F24000-memory.dmp

memory/2680-147-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/2680-148-0x0000000002B80000-0x0000000002B90000-memory.dmp

memory/2680-149-0x00000000067A0000-0x0000000006962000-memory.dmp

memory/2680-150-0x0000000007B50000-0x000000000807C000-memory.dmp

memory/2680-151-0x0000000007100000-0x0000000007150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/5108-173-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-172-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-174-0x00007FFC136F0000-0x00007FFC138E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/4232-183-0x0000000000ED0000-0x000000000115B000-memory.dmp

memory/5108-184-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-185-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-186-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-187-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/5108-188-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/4232-190-0x0000000000ED0000-0x000000000115B000-memory.dmp

memory/1192-189-0x0000000000510000-0x0000000000637000-memory.dmp

memory/1192-197-0x0000000000510000-0x0000000000637000-memory.dmp

memory/1192-199-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-200-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-201-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/5108-198-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

memory/1192-202-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-203-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-204-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-205-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-208-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-207-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-209-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-206-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-210-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-211-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-212-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-213-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-215-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-214-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-216-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-217-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-219-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-221-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-218-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-220-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-222-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-223-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-225-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-224-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-226-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-227-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-229-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-228-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-231-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-230-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-232-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-234-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-233-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-236-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-235-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-238-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-237-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-239-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-240-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-241-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-242-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-243-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-244-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-245-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/1192-246-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/4232-247-0x0000000000ED0000-0x000000000115B000-memory.dmp

memory/1192-248-0x00000000FFCB0000-0x00000000FFCC0000-memory.dmp

memory/5108-265-0x00007FFC136F0000-0x00007FFC138E5000-memory.dmp

memory/1192-266-0x00000000770D2000-0x00000000770D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/4692-279-0x0000000000B30000-0x0000000001164000-memory.dmp

memory/4692-280-0x00000000770D4000-0x00000000770D6000-memory.dmp

memory/4692-285-0x0000000003B70000-0x0000000003BE0000-memory.dmp

memory/4692-287-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/2680-288-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/4692-289-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-291-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-292-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-293-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-290-0x0000000006850000-0x0000000006872000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Local State

MD5 5a020cbdde9b4fe8b7fcdf12b61e2d2a
SHA1 178de727ffd6ba56465a23934c8573df86850b47
SHA256 ce22ba35a8430e8e49ed71fc22c587ba55d5e9a92f88e6284a19efaf0b2906ed
SHA512 5b7f53b1d6823292029c7b827b17b32ccc6081236c6cae671ebd859ef173432e5732ed08728b0377f67ee5ecc3d34ac632134ba3a8640b064ae0376bb3402019

\??\pipe\crashpad_4036_QFTANOIWYAYTPCEC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Local Storage\leveldb\LOG

MD5 634be78286a7334c313df6ce71e77370
SHA1 d6f51b6c5af7f7e832c52bfab554b9162d22f328
SHA256 2efacc03eddfa091c43654c303089e8784a99aa9179815482ec586643c8fb0bb
SHA512 bbea504e4212475032e639b533eef8f0caf90e67efa114309a91b53b4c06f1b822bd0421f04854e5f6222b09e4ca16247507172c4012edcd333e0181b7237c54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Local Storage\leveldb\LOG.old

MD5 9a5e5f0c8cd309c85e5ae1ffe323637a
SHA1 3491193d11307250ff5bd40f116f5ef80763ecfc
SHA256 ec875fe786fb69122b06d9f7acd5e7983f54bee58e41c503a317de7d529c97ab
SHA512 a3f2594c470a93eb9369353b1ca37698f46a15b61852e1fa58580baa915513ebc39e7823b3f777be53302a945a9b6a3407696ff49d9bad6a7ce3823754da2adb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Network\TransportSecurity

MD5 47a5345135389b2179425840b8653eef
SHA1 349633e3e42e77efcc1e483f56855afc5a2a146e
SHA256 e875de875f46ef6ed4a69c618f34814c572d2d72639359ff9da6e83cba54d634
SHA512 f1710f558734cd6bc7a044dce56561c65f430b28b61ffff254e2ec82265ccb72649f678b0d862d26406cc104f5c7bf74998363726e1b321e3905355eecba04f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Network\Reporting and NEL

MD5 7ce2de3b8d9058dac1937af60cdaaa9e
SHA1 ac4d7c3bba185dd36c317a569a370170f9121df8
SHA256 a0797ce5ea314608bcd32df96330ee2f061170e5905df7396c09e1405d35d8ce
SHA512 dd5f54a7785f6eb27feca36f301b95d01af03d17a76c111e7e0a9234235bbcf92d9221f730d7b97fbde83258897abfb2bd01d8a95a5d39552131243c8ad5804e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Network\Network Persistent State

MD5 106b445f396cfd435f854a648745b69d
SHA1 fe2ee6e496683904a0a81294d1abf595cf86e821
SHA256 5a3ba5ba4b654af8d5c481c1bc7322e9823eb3067a05d5ff9380b5b0c3f343c3
SHA512 9ab2f348649fb3745aa1180300bad3759bf3d39db9106d9cc4e870890e0c8c45bd560abcad32b2cfa80a3cea7f2081955d3d3167e99d472666ff9b94b5a389cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/3912-402-0x0000021C5D890000-0x0000021C5D8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxed10ok.g3e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3912-413-0x00007FFBF37F0000-0x00007FFBF42B1000-memory.dmp

memory/3912-414-0x0000021C5D8E0000-0x0000021C5D8F0000-memory.dmp

memory/3912-415-0x0000021C5D8E0000-0x0000021C5D8F0000-memory.dmp

memory/4692-416-0x0000000000B30000-0x0000000001164000-memory.dmp

memory/3912-417-0x0000021C5D8E0000-0x0000021C5D8F0000-memory.dmp

memory/3912-419-0x00007FFBF37F0000-0x00007FFBF42B1000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

memory/4692-423-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/1588-425-0x00007FFBF38A0000-0x00007FFBF4361000-memory.dmp

memory/4692-426-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-432-0x0000000006670000-0x0000000006680000-memory.dmp

memory/1588-437-0x000001B7247E0000-0x000001B7247F0000-memory.dmp

memory/1588-438-0x000001B7247E0000-0x000001B7247F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

memory/4692-441-0x0000000006670000-0x0000000006680000-memory.dmp

memory/4692-440-0x0000000006670000-0x0000000006680000-memory.dmp

memory/1588-442-0x000001B7247E0000-0x000001B7247F0000-memory.dmp

memory/1588-444-0x000001B7247E0000-0x000001B7247F0000-memory.dmp

memory/1588-446-0x00007FFBF38A0000-0x00007FFBF4361000-memory.dmp

memory/5108-449-0x00007FFC136F0000-0x00007FFC138E5000-memory.dmp

memory/5108-450-0x00007FF6B9230000-0x00007FF6BA495000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/568-453-0x00007FF61EB00000-0x00007FF61FD65000-memory.dmp

memory/568-454-0x00007FFC136F0000-0x00007FFC138E5000-memory.dmp

memory/568-526-0x00007FF61EB00000-0x00007FF61FD65000-memory.dmp

memory/568-527-0x00007FFC136F0000-0x00007FFC138E5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\DevToolsActivePort

MD5 ef777b5661c9a3ba6020d1eaee7c7074
SHA1 ae64b2293f274c30b211f66e2eaa8586353030ef
SHA256 2b3c5822923bac849ceb13c75bb106c6831a5f9aee87bdf388d07a78556d1289
SHA512 b42c7929716f6b29a9e6d6bc24c19a6bcad68fe4efe719b12a2c0da88138d1f4be729e58c0782a071988a8ec572a31aa412acf8d32c502a65ef7630375b7e3e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Cache\Cache_Data\data_1

MD5 1663ee1068e7e47c308515c2a4ce7ec6
SHA1 9e80b44de6eb13de893e983e10c06e6b66c3d731
SHA256 68d0994088f0357205da5c29e160c296c8828e5bc039f8c11fd032eab07ec413
SHA512 eee1e6cc531cf20251147ca46ce5354be0d419640d7e86f86f1bbcee95f363ffa1226089531ac586769da7bd34c8b7da080fec12fc2e4dc860b3e84f015d47b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Session Storage\LOG

MD5 3b6e4627f626605689f8cfb7033da4c3
SHA1 51b52045f18f82a11b471238d2abf047334feb60
SHA256 a85ab68d5036b334c011bf8f1d036f56c7b49f3bd0192f2c720e34ec511432ad
SHA512 570d6acbad854d9da42c66a6dc8a9db421743029d5d630473a4e2e81fda3fc1e83d43735a7e69a81d1ecdd4382ed4b969c6a7186e57924129db0c2fe509466df

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Local Storage\leveldb\LOG

MD5 5ed14f58e08a31e5b8990213fb40eb3d
SHA1 27f59b1f02d78a175852fa639eccc6b1dd1159dc
SHA256 de7a4fab0a1f73e45c6528cb3efeec941f7d814fd2230a54be999c3bcd79378c
SHA512 a29c17624d1960f13064184579905519b9db87e558fb6cc0c2a92115055858910889b73573d736a15863fa21c83a183e2025deae50008105316eeeac433c6665

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\GPUCache\index

MD5 f8fb3dc4ec799eb76ca0f8877bb95769
SHA1 46d8f6c9d819faab287fb94b6f358424b5d47a70
SHA256 6eac7cc52f9da3172778e2bad0a89c18bcf7b4f5ccfe7082f043d30942e6b055
SHA512 78b7560775cec3347ddff6ba481ed200d96ae58e0c398b332cd5e13d5b0b00dc07e449563ce6671229b487741230ddaabb43d0bee3c5ee201010db62c24ffc11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\index

MD5 7e17d44de21dc91480ed9acd688353f7
SHA1 381c91fd80a0d017a718b44f87e98d10d9bf0113
SHA256 bd0073fb1c0b7abaec8fea4876030b9ac78d3ec1be11f42c5bf360940c55afa8
SHA512 8db3d0e66b737f6b388ef387fb4de46da8a1b2de4e085c4a3bd4a9149a2aa92297ef7b3840aa7ab4ee566c28833dd89940078974282876cabda117246a9ba9c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Code Cache\wasm\index-dir\the-real-index

MD5 c7ed6a0c8b46ab08b0bd6024421a876d
SHA1 3903c6ef52a9c1e880db3410f5724e942b01897a
SHA256 6094262133524fa308d8b2e7ba056cfd29ae3793cce5d80b2f0747d03af602ff
SHA512 290cee260d23f64ea0d34f8de6a1412674031142be290b61a4d2aaec8c50267a50b53389984accabed3f92c52a1ef94dc401fa26d389c0019f56166b03fd5961

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Code Cache\js\index-dir\the-real-index

MD5 e68637a8d4aa78f76847e51f3e20bc0b
SHA1 98bab3f7b58f0886687ad5b2ff672c87e2266b7c
SHA256 943faa9a99b9f6e9737bae5840b67431421124ff4264320e86a6e2a267cd79ac
SHA512 758a2c58940683398ff76ae0d9f9f3afc228c9bab7dff426f4967bd067569a562cb2d12c1fe96b93026f40486b6b69d1cb45d8e8f877e597e8ac760d92119a54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Cache\Cache_Data\data_0

MD5 d1f604157b0745a40453afb93a6caa42
SHA1 3d5d77429b03674ebb0ba34d925ba1b09310df5e
SHA256 468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5
SHA512 0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Cache\Cache_Data\index

MD5 47071ce1dcb0a335c56fc209fb6e17ac
SHA1 25b3f6e43c575ffa1db62c673e1763cb58deafd2
SHA256 3646bda7343da0f0484b315155a78ca3c881475d4501295ac45f98424e87a4ee
SHA512 75d1e94390f29e5deca5f23d39ef41a498e866b03bff563de650b875d634457c684aa73d1f4ea1db40f44480a6c51f40893edb8a592a50d6421e6136172fcda9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Crashpad\settings.dat

MD5 3f87fc0a6c70fe182a2b47fc2749dcb0
SHA1 2ccf592a6154623bc7ea50e5ce6c3217ace788e9
SHA256 fb382f798260a2a8d5396661eecfaf1824f97567786bbf3907f680983e3c031e
SHA512 4986e2dc15d5d65819f2cb3c83ba66f3f9ec6c390fa42aaf3003d6d7dae6728c6f84c9edb41c4d476ae15926ecddfbf3a3122e25ed5e2c30afab2ecb63f6b128

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0L2UP\Default\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\CrashpadMetrics-active.pma

MD5 3116632b5cce5c8477c694b708a9d8b6
SHA1 1711664c9680416067b96dedbd344b057b88f4aa
SHA256 b4335dbc7e97d271093ec652708e865214b03d1115628cea8255e5d13be14350
SHA512 d124de1b88e858d01cdd4c6c432f417cfbe67716183581b28be3ccdc60b67e09deb0268453e79931184df17cb491238a1b3fe43f71892515320d972a48d1851d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Crashpad\settings.dat

MD5 8b9051a55467bbeecb81881a3d2c5f41
SHA1 a14ce8a14fb1a0aa7e7f9fc18b5825e4f9a9314e
SHA256 c14601637df6bf8eef26b814f4c971d4c257b54d1cdb318cd51791952e9910b2
SHA512 067cd7bc38106369f19fcfdfc0819285f32db6f7ee3b0adf2f853a756acd608ad05bfc7d7dd65224acdb162217a62026b3f35d9a7cd86d4baa7dcbbf0e26e552

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Local State

MD5 173c495f860d3e692f174daf461d217d
SHA1 30f33f0a3e19f0b53272420cc0b1af89a5f6161e
SHA256 d550124cc0c4ef970b8e05de9853f9c464a37ab87c12da3dfe2a9e28988bdc31
SHA512 32485522a6af3d54b3b3b2ab3932d4919fdefea9077f50e11b46c0f275cf70f5cd7d9278f580706f634f2fb61aaf7089490d371b9ab92b00f291322427bfa420

\??\pipe\LOCAL\crashpad_4420_WDONNFWHQNPLOOOR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Local Storage\leveldb\LOG

MD5 86ec0c1adb4798769d03d2d4c16fba7b
SHA1 ffc42a09af079435fe86e70da5de0ca48b0a6da5
SHA256 a17a6ab22c369979aa6ff2f91456e5858d13960c7497f747381ce9f826cf4356
SHA512 95f5e2c2ac14a4792d61fbd00eb73a99d120b05766ae4852d8ebcfc80496375094cc19a02164e2a74472fb3383d824b3fb01ac7a1a113db435c392f27759f757

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Local Storage\leveldb\LOG.old

MD5 5c8ebe18cb9b2205b8e05cbbb71e9067
SHA1 81e06b33693866f7e5b6803383c6e834603d8bd9
SHA256 0a763a8b9e0f8116f7bb5e47048eb2dfc483aff8f82ffaee39225a1c86daee0f
SHA512 3626445a75bf7e971cfe043325ef872a59682f6e013fd6974df4c72ef0c2aa337a129717c215a4620e7679893e63fbafacf5e8d2e73ff13c6dd33d7bd820875a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1100-693-0x00000000023F0000-0x0000000002426000-memory.dmp

memory/1100-695-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/1100-696-0x0000000000940000-0x0000000000950000-memory.dmp

memory/1100-700-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/1100-701-0x0000000004DC0000-0x0000000004E26000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e976e928abaaa799bb80114b47e9cac
SHA1 b36e270706c6b1791d78054f20ad807e5c91c4f1
SHA256 8c9ae2e550283988fb30eeafedd15c87685b71b6029b54eb3d8d0121cc7a509d
SHA512 a3bed3ef64d193dba9c9eb76d4ab5b7baa2fa2ac967291b572db92cabaf00c15a6d51fabd69b3c469d74a62e4ffeabf19e329e95f0526b243b6011715a8b34d7

memory/4908-712-0x00007FFBF4210000-0x00007FFBF4CD1000-memory.dmp

memory/4908-713-0x0000028278430000-0x0000028278440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIYCY8\Default\Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2