Malware Analysis Report

2025-01-18 09:16

Sample ID 230808-jhj9wscg8x
Target a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9
SHA256 a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9

Threat Level: Known bad

The file a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9 was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Reads user/profile data of web browsers

Themida packer

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 07:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 07:40

Reported

2023-08-08 07:42

Platform

win10-20230703-en

Max time kernel

117s

Max time network

141s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 3192 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1740 set thread context of 3772 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4500 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4500 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4500 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4500 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4500 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1156 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1156 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4500 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2480 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3484 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2000 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 2000 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3000 wrote to memory of 3488 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe

"C:\Users\Admin\AppData\Local\Temp\a58085c322c3b652925c69fcb94127e0aa222b44e2938132ee81f4474b0d97d9.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=51737 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffaaba79758,0x7ffaaba79768,0x7ffaaba79778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1420 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1140 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=51737 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1888 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51737 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51737 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2416 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51737 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3024 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51737 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3176 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=51737 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3368 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3364 --field-trial-handle=1376,i,10623430889252458398,1589652245532058973,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3a4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#wekljphexmolvfaw#> powershell <#wekljphexmolvfaw#> -Verb <#wekljphexmolvfaw#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:42 /f /tn WindowsSecurityNotifications_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:42 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 214.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
N/A 127.0.0.1:51737 tcp
N/A 127.0.0.1:51737 tcp
N/A 127.0.0.1:51737 tcp
N/A 127.0.0.1:51737 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:80 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/4500-123-0x0000000002480000-0x0000000002580000-memory.dmp

memory/4500-124-0x00000000040D0000-0x0000000004108000-memory.dmp

memory/4500-125-0x0000000000400000-0x0000000002308000-memory.dmp

memory/4500-126-0x0000000004130000-0x0000000004140000-memory.dmp

memory/4500-127-0x0000000003F20000-0x0000000003F5F000-memory.dmp

memory/4500-128-0x00000000069B0000-0x0000000006EAE000-memory.dmp

memory/4500-131-0x0000000004130000-0x0000000004140000-memory.dmp

memory/4500-132-0x0000000004130000-0x0000000004140000-memory.dmp

memory/4500-130-0x0000000004480000-0x00000000044B4000-memory.dmp

memory/4500-133-0x0000000004110000-0x0000000004116000-memory.dmp

memory/4500-129-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/4500-134-0x0000000006FF0000-0x00000000075F6000-memory.dmp

memory/4500-135-0x0000000007600000-0x000000000770A000-memory.dmp

memory/4500-136-0x0000000004540000-0x0000000004552000-memory.dmp

memory/4500-137-0x0000000004130000-0x0000000004140000-memory.dmp

memory/4500-138-0x0000000007710000-0x000000000774E000-memory.dmp

memory/4500-139-0x0000000007790000-0x00000000077DB000-memory.dmp

memory/4500-140-0x0000000002480000-0x0000000002580000-memory.dmp

memory/4500-141-0x0000000000400000-0x0000000002308000-memory.dmp

memory/4500-142-0x0000000004130000-0x0000000004140000-memory.dmp

memory/4500-143-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/4500-145-0x00000000079D0000-0x0000000007A46000-memory.dmp

memory/4500-146-0x0000000007A50000-0x0000000007AE2000-memory.dmp

memory/4500-147-0x0000000007AF0000-0x0000000007B56000-memory.dmp

memory/4500-148-0x0000000008420000-0x0000000008470000-memory.dmp

memory/4500-149-0x00000000084A0000-0x0000000008662000-memory.dmp

memory/4500-150-0x0000000008670000-0x0000000008B9C000-memory.dmp

memory/4500-151-0x0000000004130000-0x0000000004140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2512-163-0x0000000000160000-0x00000000003EB000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/168-171-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-172-0x00007FFAB80A0000-0x00007FFAB827B000-memory.dmp

memory/168-170-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-173-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-174-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-175-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-176-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/168-177-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2480-183-0x0000000001090000-0x00000000016C4000-memory.dmp

memory/2480-184-0x0000000077C84000-0x0000000077C85000-memory.dmp

memory/2480-185-0x0000000001090000-0x00000000016C4000-memory.dmp

memory/2480-188-0x0000000000F00000-0x0000000000F70000-memory.dmp

memory/2512-189-0x0000000000160000-0x00000000003EB000-memory.dmp

memory/2480-190-0x0000000005B30000-0x0000000005B9C000-memory.dmp

memory/4500-187-0x0000000000400000-0x0000000002308000-memory.dmp

memory/2480-191-0x0000000005C10000-0x0000000005CC2000-memory.dmp

memory/2480-192-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2480-194-0x0000000005D00000-0x0000000005D22000-memory.dmp

memory/168-193-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/2480-195-0x0000000005D30000-0x0000000006080000-memory.dmp

memory/4500-197-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2480-199-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/2480-200-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/2480-198-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/2480-196-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/168-232-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

memory/2480-233-0x0000000001090000-0x00000000016C4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/168-235-0x00007FFAB80A0000-0x00007FFAB827B000-memory.dmp

memory/1820-243-0x00000258EB8E0000-0x00000258EB8F0000-memory.dmp

memory/1820-242-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

memory/1820-244-0x00000258EB8E0000-0x00000258EB8F0000-memory.dmp

memory/1820-246-0x00000258D3260000-0x00000258D3282000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Local State

MD5 445a464628fcf44fd34c9359a318d86c
SHA1 e1dd1731e5d35e0e0d4c509210765c11816a2756
SHA256 2afe6e7d135918d8044cf34079a7895f1f175348164c23db82bf71038aab6bcf
SHA512 0bb5af597ece4f9c9f6b8615f08b241eda87bc881501a122c40b56ed66a06fe4f6ec4a89141212deef0898078458b2a39dfd349f8e01204d614dcc2252640ef9

\??\pipe\crashpad_3000_KRRXPXBJLFFMDEUN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Local Storage\leveldb\LOG

MD5 a4971313390c46ce472b605ef95a6165
SHA1 14d188402707aff761d8e4a48e37c08938f973b1
SHA256 82339e41a9a448afc7ca187f02477b483c94e43af9e03c373ecdfbfab901f16d
SHA512 47f5616bbad476ff18ebfde51978a62e9a8ffb819d5823c206560c39dee4b0d10fe055117707b802f70846212c1e8aae00b7321410667866e0c581ff186dea64

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Local Storage\leveldb\LOG.old

MD5 7634258087299b89b5fac626413418cf
SHA1 9ef1d58d4b1e257e49c5234f3927c56ea6d6d2a9
SHA256 4c77db8927d1c3b19e58ecc43167c855f36491a637f02e9c766eaf9bb77a93a9
SHA512 89930224e7e4dad93b927ca0a93d05ca58daab15c7b23cd974d99e35247d580de34dadda3f0059a9458f7e995054b28ef5f66e3045d95dd4257d7f8c16b52129

memory/1820-271-0x00000258EB9F0000-0x00000258EBA66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hui3etpw.5en.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2480-284-0x0000000001090000-0x00000000016C4000-memory.dmp

memory/2480-285-0x0000000001090000-0x00000000016C4000-memory.dmp

memory/1820-288-0x00000258EB8E0000-0x00000258EB8F0000-memory.dmp

memory/1820-309-0x00000258EB8E0000-0x00000258EB8F0000-memory.dmp

memory/1820-313-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

memory/2480-314-0x0000000073D10000-0x00000000743FE000-memory.dmp

memory/2480-315-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/2480-316-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/2480-317-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/168-318-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

memory/2104-324-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

memory/2104-328-0x000002D629E30000-0x000002D629E40000-memory.dmp

memory/2104-327-0x000002D629E30000-0x000002D629E40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94f9cbb064312f54c448959f812def99
SHA1 f09dfa187f695118a7c112eac257dd86a7208f8e
SHA256 49b70d980d9c92ff514e9ccaa5f7943e26407da37f4420aa1cd30360c79a4d05
SHA512 62739ee459f02c9b2fa235219ed7e5fe0acaafb9df0bfae121e5b6cb4a640466b3cd59b956ab5ecf883efcfd4a8966aea12651864131bfd510b08c4b7a67bff0

memory/2480-341-0x0000000007920000-0x0000000007962000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2104-352-0x000002D629E30000-0x000002D629E40000-memory.dmp

memory/2480-371-0x0000000001090000-0x00000000016C4000-memory.dmp

memory/2104-374-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/168-376-0x00007FF7658E0000-0x00007FF766B06000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1740-431-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7f5d87dfbb7a0767ea97bf95b82e6b36
SHA1 498bb3e3010918e2d97ef7bd89b245e32c34bb50
SHA256 4e332aa16050640dd25f55004c3bbd8c117179f0150555c98bac9ec4115be4f8
SHA512 f6859d9fb160b8172ea316e6efe09d2b3ad3b6a9a03198ed605888dd7b6cacc63265aac5bf07fba48a2d420adf62f06d8e74aace332861ea73f5cee30683e5cf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2bdb25d61ce2b5ae8b24faf9215e8862
SHA1 e02e4c11a45d9eb9289acae672043e2113204ae9
SHA256 9b68f3a5b762cea1e02ab40041cdf9086bc1d8d089b12d165c8dcbebe4a92195
SHA512 60f2fb7ce00e2d6aa1b9fc0868ec03bf1a20cc6ea73c19a7b5b8c555d644c26b0db4e0336e6e3f6a4cb683ffec190077e1c99814fd51b297d2c60c79b13cec72

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58e1df.TMP

MD5 f8f0a113ab3f6449c2a518a57d1cd10b
SHA1 f706ab38231136244428caf9b5e61c6f2e52bbcf
SHA256 df2e911480f93702b2fd929ad1f9d082e8e10dbf30044511c7b49c0c07c186ac
SHA512 73d836a2c1a90777710e302f497aaa2ccbc08c1cd1bec0c5d4f48d635f1024dac7210b2cf3cb7c699d3e56db479fd1b11fcfc77e2fd686ad7f70ba7612855106

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\index-dir\the-real-index

MD5 69a3173b77a0db09ebccf76a99ac3580
SHA1 2b579d512edc121064f4125025153c86584d372f
SHA256 a908236df14436309398933ee750d4ff29bd79119529ff5bbca9955c83e52d79
SHA512 4978cf588fa3c18ba4da0522e19dd7b7a3c3ef9c9849ed56dcb90d6c4f5cdb70b499f06e2736a983e4f7043df3b6acecd26a9de57d63ad1301dc5c5722a51ddb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\index-dir\the-real-index

MD5 e224e2346a630bcff2dfe2032c340b44
SHA1 368147376876ba85cd96ed765df3561a21b78166
SHA256 f0e05e5bde9b21f3bb1134942f2deb24c4fc5cf162700eb366278ed79871ca40
SHA512 4f976e7bf01e730674a5cfc7f2cece7dedb65e5fa9112a303e6f7ab0dda5a0c1ce4025a48fdeb7679a1f0e768adfe455a100b3f2f1a48e15555148527a1dba9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 aaf3c34a596bc3016e73e7de85b11acf
SHA1 397c2921304af2f69054ed63c7e18c09574fe292
SHA256 9ea5fcec924002a8c64a5eb77add770849625d823cd47e2666fb292acc3e4153
SHA512 73c24e03fb7a930cea75f41fc40681b96102044ee3efab028e90a8e4d8c4f010ebd223b463502cf53e698f2dbee4874b7cec28d843ff54bc1ee899d99dbf22ad

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e3d3.TMP

MD5 2b7d1b142e3635bf8db4b0a20e1ca2dc
SHA1 40fa8edae8b116f8fb11472e71563d446610be52
SHA256 db0babfcaf9ec0f231fc433a12393cce71d328c66511c30e9a76a371cd142200
SHA512 48eea36d33d85d485e194c9c8400e4a94296755a6541679a449ae0056f3fe9f8fd37095e7aa70c7c432508fa9ba2e5ef39d955eb7968acf1c047538ed6dfcdd2

memory/1740-529-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

memory/1740-530-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

memory/1740-531-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

memory/1740-532-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

memory/1740-533-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\f19b8afa0a827449_0

MD5 572dbf22eb148d5b1d03454840bcb404
SHA1 522d1d6eb9bd446c06075a2ebc0587213b6a794f
SHA256 2fdcf7d173cebc2b12299c4e8082213d40b2b0bc629428fda066fdcd714571cf
SHA512 23bdba5e8126b70c786b92dd40298f9848e0f4355d2d8887f9d78cb203947e1022f57dd0201d82b76fd76ec266c976b75c08a61e6689cf93ac7ee0e2f8117b0b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\e9fc3d292fdd7cb6_0

MD5 add265de103b046e8a7e6dce266155be
SHA1 c8f76d627483381c33d70714a3211e725c9f54c0
SHA256 1bae44daec8ac483c6b0f0120c866a316a7905076a05dc140829c41f1bb69548
SHA512 e2ef34b14ced5eeb8f2f7f6986867c0191a2697207d99fd14531f2ec36e51afb044ca86768986ca4d917c320dd000dec274b2005db8b1ea44f1559bc0f284dd8

memory/3192-597-0x0000000000400000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\e6e618d3ef7dcd62_0

MD5 f6210ff3e7b2dfdf9d0c8a3bf59b88b7
SHA1 d3aa021b645a183a7d7821b9a9636ae0f9dfa7be
SHA256 50306b9c563a4e811b3b4e825e320f5a3849892f04bedbcb69cb609ffc520d3c
SHA512 84945adf05d21969d390a5629ec76875f9739ad7c8235e215ee92ed648ef3b1a1b884e876f87ea2c256588e643853076161ef22614b1b1a48a6e17298316264b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\d91ed97b5135f891_0

MD5 f57de28dcc972e60d1f588ea1ab37c4d
SHA1 51900c875981ef0662e213f3bd3d0956b44861d2
SHA256 7c2d3629dc22675db0c1ee32ff7068e6de2c793f85644046c7f06837755b9065
SHA512 30bcf6b444e037cdef074b4a8177ab89c131a071e79c8f66c5e520714d8cc1a90e25b8351636cb33545932bab6e012737ab82ca8aa3b62ac32ccc4e914b8664d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\ca7296f40d264739_0

MD5 e010faa5dab3a531aa21b6d9cb1d6b30
SHA1 b0c0c5c614851357ea46145c0c17e85c4c2d753d
SHA256 1edd6a2ee1eb8581e772f6b71546c5760777234312eb49669a2b9c325a8e10d8
SHA512 f29f45339ffac071e490f3077855917da18187044db490874e11667b2a0e963273a238c55b3fe430cbf36fd04162390786078420a3d50c0d76b4b8e607fd2d3c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\c0134b6c38797399_0

MD5 ec1601f2fa5f284d95bfc7c223bd4c3d
SHA1 2280cb24417bfeb7c559b0dd189818520c4f74aa
SHA256 dd79a6c420e507337d2ef442582600456ae2ad3c78826bbfada42c28f5418725
SHA512 db724a90d0078654464bc000d5aa22164c0608e4f1d4ac0c3e46b4443f4237e71e77dce7ecbc869377a58396c61659bfabe7f5a53390418ccfc8b9caa1012849

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\b83417d4939a1e1f_0

MD5 a9c38e156d6be1927420639691917531
SHA1 70f58d25b0cca6587162db80c5f2846d554f8e9d
SHA256 4f6478041c1eab562df6a00ee0debc26fea6134b3d65325ce76fad60eaa56f8c
SHA512 fe2e857222b6a82a0f85d075c1c36a0d0357a777c074dec4aff5f67115f329a409b16d6b60ccf03f0f3b2c8868bec19eeb77e98ef2f60fb00e0ed4635a97181e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\ab4ca4fd6e15b24f_0

MD5 7e6587d315eec14bfd592aa819cced82
SHA1 ca0cdb5e9b2161386bbc53b34d067caf18fe6a6e
SHA256 236635560736b8a3322a32bd719272ca79367924863101d45bfc7e427009aad5
SHA512 44537cd45f93b1a165011e4a10c8a754e9eb3712dd4dc989e82c7e99365d14bb410ad373919c3bd9546cc927ed1d07d15d45104087dddf1309595d482e1e70ff

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\a10114f36c8fd0e0_0

MD5 d0929d20f5e41e5144e5894661811a8a
SHA1 e4d6eb4b24aefbe78855b7d64c1632710bda58e1
SHA256 ada7fa76d495c73ccbda5a923d36b321ec40566640e14dd7af264eac3fa37fd6
SHA512 fd24fe376bbb110556b3cb709ac151400d0fec4167f0f4277ba0a97c3889358fe1ac5cca40ad70caa2b1692156a48507d405f503eb5f3b23955b71d309bacad0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\96a28fcf7167b04a_0

MD5 a3c4a590a72f972985af6b2dbe76f4e8
SHA1 c4f1456f31c4bebf8610ad08bcd28c2785a0386a
SHA256 44c915d1af7c191cbace638fac617bc2d2634aa5048d992a5695eb21076c8c47
SHA512 56347889486439ef774e0775c383df4edee94abf673c068f1f6d651a3760fb1989b62c758e561dc08935338221e17eb40e059ae10d59088e31513e4f6f90a15e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\5cdd7f396700b435_0

MD5 9202df60f24758a3da362d11772f9fbf
SHA1 d5e9aa321334b538591fb5163f20e148dace1a78
SHA256 5da7f90e27493e7d03eb77ec5a36c9ef579b2c9b84ad936a5e683e9a5b3836ac
SHA512 852307100490eea7d6f4d7d75aaabd9bf89ab2cd6059c3f3bcef215b68416e584146109344de09a43de79bcd5c05d7b41727f1a34f12db8650de64dc32d6672b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\54eb26ed8d10da3d_0

MD5 52ca599f74f8aa7140696d447b62c57e
SHA1 55f86c0b760337c5578a09ca7b76e64363016974
SHA256 8a478d131882527c1622de87eb26f4df3accc76e4860ced54c8b782515b4fca6
SHA512 06eedaefcc96755ca635c3b78b3fc2984275fc984ea2bdaa90fff562bea551df1db8cdb38c5d813c793f161ddc98d6717e536c39392e44024d2d69da2ce34bbb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\538c87078bedf74f_0

MD5 86368ffad9540669c24f1ed04310ea18
SHA1 39e63cde33231065bf8fe31f09f5f8c01d17b56e
SHA256 6ded05d95184195e443bbefe932685043585295032e69f7327708e3720a0fe27
SHA512 22f7354089876dc097a89d4a3e6d95f2fe73d88427e3c62a6f9a12420b1c27523048f5757821688968a28ce55364bee7af88a7fe497d919716af043f3d5590c7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\408242ca35bda2b3_0

MD5 965aaeb806c68d89a748058b249e1dba
SHA1 13266987d311a5507885a8bffbe27e89edcaeb3b
SHA256 e574cd4139297c1285f4de6acd55cea7e6709b589717a08a2ff48c9aa50584ee
SHA512 0baeb0218dfe90a842f022a1e8863ad69399e8e4c6917407e4d17413a1e79f633300f593f4fc16c4d1f043124b208d45a081049647a68339440750748c00c4dd

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\3978e55ddeca1efa_0

MD5 a31365bc18155921129e4eb4492f6142
SHA1 dabcdde647a22e64aeeca70c21595672436b976f
SHA256 c4c1270654d7b9b1b8892aa9be8b1ce686c752a193d69d7bf5ba9f3cd35d920c
SHA512 e2edf3d6a9423026acb527e891bf7d27e0ce161834cc9d2fb8ecc6d1e0558fc5a9e59076016567c3ebacbbe6c31aebd2c0ef103a62e5e0769cadaff08de96ec5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\324e3ea02013107f_0

MD5 c7b3c2f56763279552fd252bf5070aad
SHA1 b773500c92524b294cf8f68c512b4687c34a9ad4
SHA256 d7c0b3cc5a6f36c47d3322e01b6e981e187da6476a96113102da7e89386492ac
SHA512 92970279c602280b6ba76d76bedc8e9b2cfda5ac23ab08b4d9102b3aab5c0038d67bd5585c7faa7d9c3418e31822c2f421fce449e26dcc6a11bb19ac24cece8e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 b97fa437477b502a7d4d8cc007139554
SHA1 569bc6c285c44bf32b0e1e66d4081535a5f7e6ac
SHA256 c08b14ea83e0cad3d73b9b48e3a3a763a363c77759f046e832255b63d96caafe
SHA512 329aa4e8086628285d0085742635c22a3a479b9d38c72c1ee77aa2048c0d8a131d9e900382d861e13ef411e06f90adadf0a815262326ec865bb49d3617756028

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\1c5038ca8204eb27_0

MD5 09cd33086f2c085d9fc61e9a37fb5e40
SHA1 3b1692b2f77bc01e6119749f6cf74b63f718a648
SHA256 e3040f9fa0f08e97de7710d401c3f365cd42c3845fee00067ee0e6f9e0f10592
SHA512 2eef3349c9fa4a612b2b27a26119c4800d44bfe6994113d2beb1db1313fbd4a20ef0793dbcdc4ff3fb4111719cdd73d0838643b4360128bc3a56d1d4acda38a6

memory/3192-606-0x0000000000400000-0x0000000000527000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Code Cache\js\0268938681f021db_0

MD5 e7e2b5a94d80cc4b6fdddd775aaae2ab
SHA1 dcd3ce720f85ff72d20b1331d5dc8f92c83d0b54
SHA256 d309aa2f0c393f1ff451a6d880feff416642b9bbb686b8bcc771c36f8bb77ee7
SHA512 6da873d280c4bbb6234146017315f7eb953770c03e6079741647148cad2e40f77c9c399fef65658bec4b0928a40bc06184e9f44fffa1fdbce55012d6e981848b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\index

MD5 1741dd255f47a37aa11a537c0048f7d4
SHA1 f852164836cd6ae074bbb86495b09110ce2460bc
SHA256 64da73cf21d930d8d571f75c068ecb7329a27162814df04ecc18919dee944a5e
SHA512 4ce229a13dd2236eac0e1ecd00208b7d81a16768c38e3a3a02845b2ff087e65ec1cdaa4e643b153709575e47402a03ef9a76e40aace987c7877820015425e932

memory/3192-608-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-609-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-610-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-612-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-611-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_00000c

MD5 27cd2cadf2c6803021503d69ef6adb59
SHA1 42db3241dceb8e751bc394963be6c3a600c63438
SHA256 d1b75085ea35b7053cf99dcd0764c28eb035f1228ca2fa4393040a0f1f4e3927
SHA512 6f1862d0cf21c62bc047ebcf66fdabe392c18e3a4534206941fa9ccf0e155c51b1dac0d1409b2283de08fe22782b5d8f48d8956fd33c6e0ccb006a8a9f4acfec

memory/3192-614-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-616-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-618-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-619-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-617-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-621-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-620-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-615-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-613-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_00000b

MD5 355dcc3d527c3e9cee6ad0819e479211
SHA1 2e31ed9f7f6214bcc6419de03438c6613357ce56
SHA256 2096b2907f5170ec6a2eb2a418547e187f0e9e03ebd1b4fcf97c948acfb07f7c
SHA512 d61d48c09735e749a7448ac05c577fabdd0b3508aff5acfbd256d141c9dedd209263ecc9d3ef0bfcf80dc83e64115530dba88c608c43f96ec3df366c24a983eb

memory/3192-623-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_00000a

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000009

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000008

MD5 99374f3368b192f0ebb50e2ec284e2eb
SHA1 9415121c85654b2bf0a98576c11589ff304665c9
SHA256 85e81bcb282f3c74de592b44362f4adc0271e43743de6bd3c984e59c840d7f28
SHA512 582886a6ff12929ae865e2ceba30e96d0e5a77e2a09b6ba130f2416fc6ac544bc2bd2337df145dabbcae84d13a67e9922a0890c77c40b06149d562116b35a311

memory/3192-627-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-629-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-630-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000007

MD5 d453afffdfdc0b4a8dade7dc8c9572d6
SHA1 58059302d94ed9744e739e388d24bde852996908
SHA256 9c34eeebfce83033015f38c7a605d1fed811fb54720409bfe06ad5c2c91fe2d1
SHA512 2678c762ac65b5edebd1ae552e061495f551a4d037d0dfd0732c98c3e197e498a1b020c927e11f2c3dbd388dcd863f83990632581582e20767b8bb1a0b0f6927

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000006

MD5 5ca9c119403d3c0232849ea215008686
SHA1 06b4fef2dbdc0709c7edcdf8c35bb89d9f020ed2
SHA256 d7d39741765231d5408c5a7166713d079108c1ff4d780095e9aee2218203cc98
SHA512 f8322e578a455743cce7fac74feafb7c37c0d65dcd278dab774f367fcb86563012ffb83bf384dd262be90d83c855b44f22546d8253b4833e886a8fda71beaa95

memory/1740-628-0x00007FF6B86F0000-0x00007FF6B9916000-memory.dmp

memory/3192-632-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-633-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-631-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000005

MD5 520afd77dd786dcba066db25d79d821e
SHA1 bcdd8e966e4ef08da00b5f48cc062fd4c5852b73
SHA256 9b4fb57a5c3dd6996892277112e7fabb483d69b444fbbe1935a769802b1ce303
SHA512 fae19c262924331882857c8960c0a11b991aabc395c4be3e24387d4f342e92fc489b5771f711d6c50309da4cf55b0099452d0a2499c41faab774d89463756ae8

memory/3192-639-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-638-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-637-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-635-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-636-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

memory/3192-634-0x00000000FEE20000-0x00000000FEE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000004

MD5 500ecdda9ad3e919a1f41c1588266a1b
SHA1 d5ddf92dc08284a48701a4d3555590bda05f77e0
SHA256 caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37
SHA512 5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000003

MD5 44d12dc4a3dc874f8c0182d8113c1590
SHA1 0c5b2dbac5f5265cb045373939890c5ea265af80
SHA256 14c577cbf6a8fbfc3a023adc135a59d45024566b909ee3482e058cf01f600f3a
SHA512 9e532617e92005a3b21f8b64a421326519f28c6146676ad9b4c8e4f2fa059abb1d5c8abde28c23ac1d1750641a0007da7caab34d58abeef039d87f9fde82b0e4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000002

MD5 da4cec20c30abd49c5b03cb178c6e5f7
SHA1 c7a0efa3f505a46e5e5001e4fccbef753f52c119
SHA256 11a703e00e1246b141133c860527146c54979728745aaa1858c20d819144f56a
SHA512 60279e6b06b7d8994c1abc2e75617ff39562fcdcfb4b3d693d5db6b18e05eaea3bec033857bf1dc357a8e9b5228fbf272efd034f048ce4cefb6b005e18e0d26e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\f_000001

MD5 26b73e5ef4559bf17ba087e858806d96
SHA1 53066a6b7bf2ae28eb9f4cb70b6d4f966d220695
SHA256 ad2c3d9b2890fe8971baaf32aea42d3dc24a8cd6d7a9f5102277a9ebb73403ec
SHA512 9a1689e8a766440e6b09ca453cf74ea5773e9a37905c7a0ad51d62f0f708742f1eab4364ca39a6a1b3c4bf309145b627bc7f0887b2faeaa0ad3c0def794e4029

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\data_3

MD5 d4356233515349c9f56d391091ca25ad
SHA1 253c9c6f0d56b57b72ed3499f8ea78fde4094118
SHA256 9303c484a41a5601d3d4bd045ccd79015e8ae69ceeb1600ba9038f9c7caede9d
SHA512 18f1c1c589243f5ebec1c99ce92506a436dc0dd65418dee9067ce869c587505ed0c74b84535e05b200cb375469175390f4b0a69e8f524190b3c556ec73d45f43

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\data_2

MD5 47ae36c9785fede54c188e84e2967a7d
SHA1 01d99a453696664c8599575c8da2c8875e4741d5
SHA256 f6573626ee58131d1beb6e4f0c84dd3d7d29b21c77de6840090144348418607e
SHA512 42737b4655b8df887cca98412bec65fb57819a0d5d6606eb8883ad64483c6dc4f5f8188ccee17df76738985ab46b47dd0fd211eec5561c55fea0f59e26694530

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\data_1

MD5 c851bc47beb4a2ba9978772e2ed01712
SHA1 ca3255d43e70c5f8ef7a2784af2a9269649373cf
SHA256 c87817cb07983925c4a5ea3e62b03ee22461a2cb46f4f89c980da0244cde5ced
SHA512 52f1af36a8d93bb154dd44500d5ff7dfc6627d5f4919006bb8bb1ca9082fd47147c6ba726ea234031bc4b77e8b5016ff4b2ac2bca3e07c6a6678bf94295d49e1

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\Cache\Cache_Data\data_0

MD5 78d58b93a70710d313f2a0bd8ed4c406
SHA1 e78f5edc611f1cceddd5a40788e7dc05ffcb8dad
SHA256 16b6584db804244ab4ad4ec91ce46e1ff56e6d982cab7ea873e8e01beb88f558
SHA512 a98990ca0a5c49918954f541bd0c0fad38cba498ec8eb8b1eb3bd25d2829f28dfb917daa262f633adb7fb9022943d06a5d588ebfef5e91a03dee90bfcec35de6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Crashpad\settings.dat

MD5 fae581590a498b05ca93a82a37cbb19c
SHA1 2c85475bfeec29ea911b68477f98751807328c49
SHA256 0d570c7f155839ab9bacffe8bf2f9bd39b6a9073b216c91743b01603f70b3357
SHA512 e5a33c113d5b60702cd9f23c4b8c7e4e486d24dde345d16dbd0cdfa792bd414d1a92885892759224d8e682294f6efcb2d3d7487da68571c8c172fccbd0c06bf8

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\DevToolsActivePort

MD5 71e88533b8954db42d5b3e6f6f16a375
SHA1 63bfd52e84f2955021e680d0d318fdfdc8c0f59c
SHA256 9cf6fcbfdad88e276b2fc201950f84789afc8de2af5b2fd610d66d988b17c20a
SHA512 e56d1bafbf716df1ed285e3034494d038ecaf276314995c2e0e85774a67226ba00d54de481f8d6dcabe1f3a1f0bac9e30f82306ff1fb42b2784b4b972f5fdf8f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOTE2A\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58