Malware Analysis Report

2024-11-16 12:28

Sample ID 240304-d3stwagf9z
Target Privacy and Performance Script 23.10.2023.bat
SHA256 d14a50e195ee73828dbb6b8ba6bb5a5d01bab63e344e629808e4b6af927a4307
Tags
discovery exploit spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d14a50e195ee73828dbb6b8ba6bb5a5d01bab63e344e629808e4b6af927a4307

Threat Level: Likely malicious

The file Privacy and Performance Script 23.10.2023.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit spyware stealer

Possible privilege escalation attempt

Reads user/profile data of web browsers

Deletes itself

Modifies file permissions

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 03:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 03:32

Reported

2024-03-04 03:36

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Privacy and Performance Script 23.10.2023.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2276 wrote to memory of 3272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2276 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2276 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Privacy and Performance Script 23.10.2023.bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f

C:\Windows\system32\takeown.exe

takeown /f "C:\Users\Admin\AppData\Local\Temporary Internet Files" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Temporary Internet Files" /grant administrators:F /t

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\328d11uu.Admin\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\328d11uu.Admin\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m8kj4bi.default-release\*.sqlite" 2>nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 03:32

Reported

2024-03-04 03:36

Platform

win7-20240220-en

Max time kernel

64s

Max time network

145s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Privacy and Performance Script 23.10.2023.bat"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2356 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2356 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 2356 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Privacy and Performance Script 23.10.2023.bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f

C:\Windows\system32\reg.exe

reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f

C:\Windows\system32\takeown.exe

takeown /f "C:\Users\Admin\AppData\Local\Temporary Internet Files" /r /d y

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Temporary Internet Files" /grant administrators:F /t

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\xkoyglns.Admin\*.sqlite" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\xkoyglns.default-release\*.sqlite" 2>nul

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7019758,0x7fef7019768,0x7fef7019778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1596 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2060 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2448 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2460 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2352 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3644 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4080 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1400f7688,0x1400f7698,0x1400f76a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1400f7688,0x1400f7698,0x1400f76a8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2788 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4120 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4476 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2248 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2072 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2524 --field-trial-handle=1320,i,3717210440167847063,13643697146330877466,131072 /prefetch:1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.178.10:443 content-autofill.googleapis.com tcp

Files

\??\pipe\crashpad_2940_GHBSIODALLXRVSDC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\17c24227-8225-43f2-b0ab-efeb62ab673b.tmp

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\scoped_dir2940_1069608709\ae5cab65-9f55-4c4c-ad4f-d34c75d90631.tmp

MD5 2cc86b681f2cd1d9f095584fd3153a61
SHA1 2a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256 d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA512 14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

C:\Windows\TEMP\Crashpad\settings.dat

MD5 1a729d4161a1cd3c183f5d9f3aec4bd5
SHA1 e19ecb0443b44b76ef7859f008e77f62f7ae1c1d
SHA256 783ed670f6f82b5f136faf4f7d81404421e153c0c95a437f1e3aafc83a60dc75
SHA512 7e2d9a01a1bc4c10c8d8bbf54006c77385eee4c6568e7e6d05e1a6a18c766d1c96e04eb5f7820685d062699cabfb1ba6f5dfd7ef579262dcabe8f2f1cc105585

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 0ddef63dc245f40eab60c6629c4a6e52
SHA1 619a555e54a8cd124cbc7aea3c344e204f3bb4f8
SHA256 febbce7d99326242f036d8f1f2531b1273d2717420d755b00569fa0f9aef380f
SHA512 9447416368a91437f177e2234384e83dfd06512d8901fdc0549331959c36811e0bf6668b6fd714b8427cc47e8471ab316fa07175469238218a7fb33ad2729530

C:\Program Files\Google\Chrome\Application\SetupMetrics\0cb782a9-b63b-453e-80c9-ba85d9982fd5.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Users\Admin\AppData\Local\Temp\scoped_dir2940_1069608709\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 89d79dbf26a3c2e22ddd95766fe3173d
SHA1 f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256 367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512 ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

MD5 b82ca47ee5d42100e589bdd94e57936e
SHA1 0dad0cd7d0472248b9b409b02122d13bab513b4c
SHA256 d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d
SHA512 58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4b26a577345e1bac2f8ad8692acebedd
SHA1 4c657f21883bab420fe8f9728bf4f45a87947c41
SHA256 57c65cf253fc2aade8e905ab7e40653a8898a50f5607f55eafb3f6d2c18acf20
SHA512 f364a0d3ed50a6ff0b5ecfc57f01dcccadf963612e7830a5779b6a75734163fc25ebabf7861aeca6949fc321c2da57f9644cbf1a3a0ea321e2e26593677a6022

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ffe2c8ab38bdc03f4c8c1999599703fb
SHA1 3faee274266f9d9da1fb5664f450f1dd55593baa
SHA256 202c6ef3938477e1a0608b6a0bb11a70f0f0272ea81f758af57e3c54c8ef1fca
SHA512 821168081c9c8e0935e1f320067588216a10464adc0cddfd86a7dc8dd4913f5d5390ef743eb501c1ad9a30e9800a2dd48600da53691052c035b936ac18e5a3f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1718a726f714f0184e7e757811139b1e
SHA1 cfc36b52ede0e29df41d1c08d0c11fc103ec836b
SHA256 fe3f0ae10c0c7effc30d41acbca01acf5778b564a8e6956536cb46acd2c11398
SHA512 7d87ab845edde2578bf03dbd570f03973e7ffafa41c06e3fd82418ccce9fe0051a020819f1e435af0d9eccd264bc7dce55d10ef3878075f0827c8393e941ea75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 32450abf4998b3c3431e87f1ed31dfd6
SHA1 4a98632468a3157962f777a3eb63b9f6dfe91fd6
SHA256 78f1b078fec229d22715fbfcd4d2b84ebbc8de8fbdcfb8f946bc14bbccb72431
SHA512 7f8aea7982fe83522766ae816df2bf94bc0778938b37d1942accd6202c95fcd1378c57af6842e9c57a4e60883740da27f0158a1c3f9b0d4de5c024654c37100d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a1af5ee8-cb2b-4e3b-bb3d-705cf5222d0e.tmp

MD5 df6460d77ba7919d5e9558f57e4319be
SHA1 a76bb5106252328fd30c34d09e07c587c63e41d3
SHA256 6600cbc44023e2a2c12a94ab365dacca360791de7a2bc9cbc200f09387a785dc
SHA512 f8e8d514d459ba90c32c0985dc678b19d2e2bb212de5bcce5d7377e7154783543ee8fa999d36bda0c2abfb2d01ab84d091d396c72eaca6706953e9480c02fd63

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 50c54a70121e6c93e622c3a365e982b0
SHA1 6fdfd030eb551373ead99443f281fbc3ecb21f17
SHA256 0e44be409e79292d09cd6c5cdf8de4cd469aeefd4249135f55e64b04dbb6f76d
SHA512 75d7aca7b26abc1e48e138a0e8366fe1916a618cef7d1d69ee279a8ff0bab9d604c8a8b84692717c8e5ebfebf647c8fc03356cc27dd4f6d565a8f5b9f2dc05b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c831c3cf-26b4-4fc1-8225-8e9b9f14d1e7.tmp

MD5 c6ee5e85ed2534cb41a451bfb01c422a
SHA1 84850584b00e397d08e3c82ba600ef3c9b6129a9
SHA256 d6981e7fae0843cfb7f10b296b05a3819b114b658196097972cacb8a188c88ea
SHA512 81e0c424382f3212b78b114eb57f3b0a5e812036ad1c283cac12455eae2d921b3f361204d115ff79e0a1c7ff5e446ec459223ecdfe30405533168ab3d1c98a0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000002

MD5 22bf0e81636b1b45051b138f48b3d148
SHA1 56755d203579ab356e5620ce7e85519ad69d614a
SHA256 e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512 a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 f683b55fe141fdebb4560262ec369e5d
SHA1 9245b12d869e52aaa70354adddd08ae97ed4c17a
SHA256 c0dd0acebc584d6b4aaece9392109e5d5f52773a9c29f7c13701acb755b76032
SHA512 0086cea0ffb465f12429f2393f382f233a483d8c5dec0452133093a5398e59bd0c54f74e62c824a3a921df8df6cd7467f25665c67fdfd25f1a8924351a814659

memory/2924-1030-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-1031-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-1032-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2924-1033-0x0000000140000000-0x00000001405E8000-memory.dmp