Malware Analysis Report

2025-01-18 08:34

Sample ID 230810-r7xkhsdf58
Target 3020-61-0x0000000002340000-0x0000000002374000-memory.dmp
SHA256 d447acfea3cd5d34b857f21ffedcb4ebb6ffb1ee5572346af2deb3a467148689
Tags
logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d447acfea3cd5d34b857f21ffedcb4ebb6ffb1ee5572346af2deb3a467148689

Threat Level: Known bad

The file 3020-61-0x0000000002340000-0x0000000002374000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline evasion infostealer spyware stealer themida persistence

RedLine

Redline family

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Executes dropped EXE

Reads user/profile data of web browsers

Themida packer

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 14:50

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 14:50

Reported

2023-08-10 14:53

Platform

win7-20230712-en

Max time kernel

90s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2268 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2268 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2268 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2268 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE
PID 2268 created 1228 N/A C:\Windows\Temp\setup.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1836 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2284 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2284 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2284 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1368 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1368 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1368 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1368 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2284 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2284 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2284 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2284 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1836 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 1836 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\SysWOW64\WerFault.exe
PID 2284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2284 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2728 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2728 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2468 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 328 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2468 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2276 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2276 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2276 wrote to memory of 2588 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 1604 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1604 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1604 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1604 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3064 wrote to memory of 1876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=17536 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef66d9758,0x7fef66d9768,0x7fef66d9778

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=820 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1204 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=17536 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1512 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\system32\taskeng.exe

taskeng.exe {C141627F-78BD-4677-97A1-A25BE8964E0C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=17536 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1936 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=17536 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2448 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=17536 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1816 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=17536 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2596 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=17536 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2692 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2592 --field-trial-handle=964,i,13633734962078991526,14430922676899609469,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ogs.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.206:443 play.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.206:443 play.google.com udp
NL 142.251.36.22:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 142.251.36.22:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 172.217.168.234:443 jnn-pa.googleapis.com tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 172.217.168.234:443 jnn-pa.googleapis.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp

Files

memory/2284-54-0x00000000003B0000-0x00000000003E4000-memory.dmp

memory/2284-55-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2284-56-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2284-57-0x0000000004B00000-0x0000000004B40000-memory.dmp

memory/2284-58-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2284-59-0x0000000004B00000-0x0000000004B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA797.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarA8D2.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0b19f0ef5186cbc74709d4c8681d3e5
SHA1 d1a5a54e24a5600c0de907858b21a72313b7ebd3
SHA256 1810172f3a310b22500116d73188c06083ec0c032d5a1a01681981dafbbf3996
SHA512 f0256ccb847287e70bea55042498d0bfd21b6efb9ac9227019936df35364ede6a81c6689c90f774ccf90c15e12179cd9b988bd099b7c3d400c21d7c8d999bd2f

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1368-136-0x00000000038B0000-0x0000000004AD6000-memory.dmp

memory/2268-137-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-138-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2268-139-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-140-0x000000013F870000-0x0000000140A96000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/1368-148-0x00000000038B0000-0x0000000004AD6000-memory.dmp

memory/2284-149-0x000000000C250000-0x000000000C4DB000-memory.dmp

memory/2268-147-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/1836-150-0x0000000000870000-0x0000000000AFB000-memory.dmp

memory/1836-152-0x0000000000870000-0x0000000000AFB000-memory.dmp

memory/2268-151-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-153-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-154-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-155-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/2568-156-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2568-159-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2268-157-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2568-165-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2568-167-0x0000000000400000-0x0000000000527000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2568-170-0x0000000000400000-0x0000000000527000-memory.dmp

memory/2568-171-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-172-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-173-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-174-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-175-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-176-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-177-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2568-179-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-180-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-181-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-182-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-184-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-187-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-190-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-189-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-191-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-188-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-186-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-193-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-192-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-185-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-197-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-198-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-196-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-195-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-194-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-199-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-207-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-211-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-216-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-215-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-214-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-213-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-212-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-210-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-209-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-208-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-206-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-205-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-204-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-203-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-202-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-201-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-200-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2568-183-0x00000000FFFA0000-0x00000000FFFB0000-memory.dmp

memory/2284-225-0x000000000C250000-0x000000000C4DB000-memory.dmp

memory/1836-226-0x0000000000870000-0x0000000000AFB000-memory.dmp

memory/2568-248-0x0000000077C2F000-0x0000000077C30000-memory.dmp

memory/632-255-0x000000001B220000-0x000000001B502000-memory.dmp

memory/632-256-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/632-258-0x00000000022C0000-0x0000000002340000-memory.dmp

memory/632-259-0x00000000022C0000-0x0000000002340000-memory.dmp

memory/632-261-0x00000000022C0000-0x0000000002340000-memory.dmp

memory/632-257-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/632-263-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/632-264-0x00000000022C0000-0x0000000002340000-memory.dmp

\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/2284-269-0x000000000C140000-0x000000000C774000-memory.dmp

memory/1604-270-0x0000000077C20000-0x0000000077C22000-memory.dmp

memory/1604-271-0x0000000000E20000-0x0000000001454000-memory.dmp

memory/2284-273-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/632-275-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

memory/1604-276-0x0000000000100000-0x0000000000170000-memory.dmp

memory/1604-277-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/1604-278-0x0000000000B10000-0x0000000000B7C000-memory.dmp

memory/1604-279-0x0000000003110000-0x0000000003150000-memory.dmp

memory/1604-280-0x0000000003110000-0x0000000003150000-memory.dmp

memory/1604-281-0x0000000003110000-0x0000000003150000-memory.dmp

memory/1604-282-0x0000000005D40000-0x0000000005DF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0a89eda67beaf0cc6f861532f23f6d82
SHA1 f884bdf3d3064897d6795ea27db3b263b82284c9
SHA256 15548414929af3249e1155addb2a3c07d469d1c938fe8cc5ba8fbb25c73fc296
SHA512 3318ae921058e777ac6226285c25dddc4afcb1dcb97916464c6e54fef606a5cc871209992b2342440426daba8c28c3d3c379e37b489415601856ed16fcfb7b91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXN9XM7ZOXTSK87C4W96.temp

MD5 0a89eda67beaf0cc6f861532f23f6d82
SHA1 f884bdf3d3064897d6795ea27db3b263b82284c9
SHA256 15548414929af3249e1155addb2a3c07d469d1c938fe8cc5ba8fbb25c73fc296
SHA512 3318ae921058e777ac6226285c25dddc4afcb1dcb97916464c6e54fef606a5cc871209992b2342440426daba8c28c3d3c379e37b489415601856ed16fcfb7b91

memory/2276-290-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

memory/2276-291-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

memory/2276-292-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2276-294-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/2276-293-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2276-295-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

memory/2276-296-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/1604-297-0x0000000000E20000-0x0000000001454000-memory.dmp

memory/2276-303-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/1604-330-0x0000000074BF0000-0x00000000752DE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/2276-334-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\system32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

memory/2268-339-0x000000013F870000-0x0000000140A96000-memory.dmp

memory/2268-340-0x0000000077A30000-0x0000000077BD9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Local Storage\leveldb\MANIFEST-000004

MD5 031d6d1e28fe41a9bdcbd8a21da92df1
SHA1 38cee81cb035a60a23d6e045e5d72116f2a58683
SHA256 b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512 e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Local Storage\leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Local Storage\leveldb\LOG

MD5 c49084f1fdb5c7e400c3741e047a0710
SHA1 19f594acb1e5ade883237c8a288f58e5bc248180
SHA256 d9fa11e01914a57d337aebef5fa20794bcc562f45c2095e7500a9208fad46e0d
SHA512 13f13a3612b9fdc74ab11626d58a24e84fe32871f992a242c29f019255487c8e358f29175112e282405c12355080239f2be1e60290ea6ba70e91888feb000ea2

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Local Storage\leveldb\LOG.old

MD5 aeb305dee71328cb61750cc5b7cb5b30
SHA1 c4c70d01d2ebf27351faea2ce0ba9de97aa96700
SHA256 7dcb361e8c0d183772d7f188703853c588526fff9adca6398649ba03ec9eaa96
SHA512 f9fddc20b8d7eaf3e615efdcf31fee402aea9996241da117796303a9ac7de5557ecfb3c4af31efe4a71ad72e004d5a17978f061d7b1f117aeb2732d788574be4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Local State

MD5 89a50f71f6dadfa2bf62058662772e5e
SHA1 bed778a4c905f7d3920954c84a653710d6749436
SHA256 9012e9bcfb4d61f310ce8f7ad7b3834d64bfef85206e1ebdcf24214e178c1b92
SHA512 2cfc4532b1c4cbe81e2950efb2c53252a1b59a592067be4ee93f1d205e57bbc4395abf0df4d0f339e423076b810a6a4e5756fd19843ce9d3ebeb4a2229371321

memory/1604-347-0x0000000003110000-0x0000000003150000-memory.dmp

\??\pipe\crashpad_3064_HKLELWFKCLQSEVOW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1604-365-0x0000000003110000-0x0000000003150000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1604-372-0x0000000003110000-0x0000000003150000-memory.dmp

memory/1604-373-0x0000000003110000-0x0000000003150000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/1520-375-0x000000013F020000-0x0000000140246000-memory.dmp

memory/2928-377-0x000000013F020000-0x0000000140246000-memory.dmp

memory/2928-379-0x0000000077A30000-0x0000000077BD9000-memory.dmp

memory/1604-388-0x0000000000BB0000-0x0000000000BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Session Storage\CURRENT~RFf780676.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/1520-490-0x000000013F020000-0x0000000140246000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a9edd7c785640b13bee2bb4509726aec
SHA1 cb76b83853547886d93f4ce254e552929bcba553
SHA256 d0f229dc677d4196b3df235265d3befe550093ef83255b5e1666b0069f332448
SHA512 6bb338d7f75e7d455c09f8174e8d29b5970e7d5a02aaa256302654005b47af59efa3642e305034040e614773c83756d32ce098f4ae2a72868d1cd1986808127d

memory/2928-554-0x000000013F020000-0x0000000140246000-memory.dmp

memory/2928-664-0x0000000077A30000-0x0000000077BD9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a91573da0de2455728f020b6ba86e6fe
SHA1 e26b918c8f92560474b48886fd42890f2e0fb75e
SHA256 dedfb629749d8788ecad62b9863c0c4b37b7d6a3ea163d2ba56aaf26e7f6157b
SHA512 a6a274388dc0a73df97e0001cd75e131026e8bc44d140a6a0aa8608b8cc6c277d0251cf145e7ef7a5e4f0b888dba823a2d03574d2750a304f0856646209c271c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Code Cache\js\index-dir\the-real-index

MD5 5375cff52341f420d94c0e1dc64aaf27
SHA1 275791ba7a12e301b5eaeca005633325cb112bb2
SHA256 72d7091118fda907c583f41dd4438ea2a18eec9091fa5ee44d2560bc6307d16f
SHA512 859f1d76817eedcb4616ce542323086fec425586a95f0124cc5c57fa27d324a3901d1432085223810ea74df6cf59d91cab3abc588c4548d7b126ab4924a5f6b4

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\DevToolsActivePort

MD5 2a7b1db39eef196e6f6ccb5ca3b9f670
SHA1 47f20c5be61867836a60dce57ed103d2ce12a96f
SHA256 13fb4531e16f53c18852710edf633221076ea9ab02f059e632d453c6c462cb36
SHA512 67141ec2f9ec0f3d764e758bbb4aa6ca943808ce02b17285fd88b950c0c788ea1c969c6234424f15e99ed4eea20ebe6132991c93a73f68a43d92ad69d7aaf67e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Crashpad\settings.dat

MD5 fcb36f3bcaf2d8d40a85bdc7c2bb0c79
SHA1 6bb0a188b381de2c3e46872f4e901026c4df2c1c
SHA256 1baa75b2a166e80374238f403a9d0c2ce37fea05f8960e947e6253717a8eed87
SHA512 12dcd6b8cebf67bc6c22c29d8e973bc00d59a544677dfad4bf08ea224b418bdfc396f9ec9307edc948f945c66eec35bfcd5d78229cd13d88d0416ddd734cbc15

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\chrome_debug.log

MD5 3024ab640bac1e44366a05363fe78876
SHA1 43dca96aa03e6c648f5c4c8c96fbddde3924b8eb
SHA256 fdb0cb6fce9de1f20340cf36fbde2e12dd0ad1b5b0fddb02d0ca6f7985366641
SHA512 3bebdf6d2949507c3def04d383aceb480659312f9b41281b603ed73cc61761b016d1227ece1415e91021db1b21933d73c737cb1919e8bddafe3a4e65ff6a9d1d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\data_1

MD5 b6ad010cedaa5e89715d69a767e5b819
SHA1 904b6745abc2a8133101cdcce0149be078dc6b18
SHA256 f46c42c840efeea23ec634dca02c329feca620310d36b8b9be878520515e908f
SHA512 a6ba0c4fc0829fc77824834c255245c6e5efc66ef61c5faa2b4ffb39a8fdac6070ddf656657900d628ba4fe7953d24d4df397b5728c93489934ea09419527544

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\data_0

MD5 7ea01d772a1e999213c72f4d8fde0b7e
SHA1 7d1f29366dbddb7d0f9a3dc169ad291c40b3fa8f
SHA256 5dd856a102061760013a4f085d2c88e09e2e89fa2c2ad2aebf87e07cbf6215b5
SHA512 579502c3a555180e7f08530fd36a85a7d9fa65ebe39a49d942a392b542510bb58b2b80cc966d76cf4a6e0ca29a917c92551d8f0890407666cf3e3a6f16ba4e57

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000015

MD5 09fcf372ae90d5a60679f8ae4f3470de
SHA1 148f90f27a8af4cf63dc6bc9e4642e21ab30d4ea
SHA256 574658e831ce78fb5a714b44b8dac9a0733886c3c4d15bf84da893a1d21ea49a
SHA512 aea96835a5a8e66b43ff112ea9c3054ad9db01875d5df8a613044d9299d51d3dc399d335633440e23f4dfd5c07d9f9c2398d8311fbe38e71c55d8b1605d8a400

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Code Cache\js\247c7862c30276d1_0

MD5 b96692c1e5470a4252891b05c4ac1a68
SHA1 d713c27bba5a4d3ab150281ce58ec308633f076f
SHA256 1ecb683f00d36642f80e4484a38de8db10d9409350006f4f0d0d18ea7c6167a9
SHA512 e7336b41dfc07ff1a7614a5a2a6e81db9bec5f87b958a0fbeea8d824561e3b6687ba6ca274fc54ea7fd84d42c40f1f25683d20871674d2b6c0e2dfc5c85d677b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Code Cache\js\082103dd7209e9e1_0

MD5 7caabc9bbfe7b3d467688738803e8e89
SHA1 809972806a3fd6f97af6384dfdef1fd2da073de8
SHA256 18031067c5ef638ab4fd29ed7c9c1281f319e13e1e59ea4b96a8b849b3928c2e
SHA512 c48cbd098d89ece5ff22f9cc1642d88c6bc4a140a114f9bdd61b8072085682fb97e8477aa649c412e0bb2be4cbabddf2217fa5177d1f1908000f092aa5b16323

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Code Cache\js\0135e88a5430dc9e_0

MD5 0235b74be8ea8ca6b662cffcef98a86b
SHA1 91244c39ba58106b224f0949cb9e16e8c1b27104
SHA256 96c75aa093aa1a59b2a8a6e61f05fd7017e2ad19bcc1bd4be6aea66248b9939a
SHA512 f94cf7d74da1f7e6b3457245e373a1c57d0aa83393e5687062aec8a5da5b34e9941b4dbda15e938cafd19cdf75f425f643e726ab7309d2317651dd2e86751699

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\index

MD5 919f6931697b61a1edc5e48ca5de7a99
SHA1 879cb7c5bc43f621f36fc1afcb0b2ebb0c0d006c
SHA256 781d26194421f4f3c80a51109d5613ced694d5d05b48bcf350b6d6f8dc41c3c0
SHA512 49dd7589719169edfa3dd4ff76f6c3633acb13f7a48c81c9c5a279bd8f9117c33b8dd472aa718612fca15ab92232711571287012c81a2c576f845c2826c4078a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000014

MD5 f88677e29b54dd5db296c326af6a4d9d
SHA1 1de3f597acaaf196e878c566c84dc27ada095d0a
SHA256 cad8566d3569c9df8104ca1a2f7a707fad71762f77cc34b009eee7ad753ab29e
SHA512 92d6c7bd43c437c596096e61b34a04799c82c0f79ab208ea04bf652faec038bde6c363686c6c973158b1048c81ed979874b369379d02e8e5e8ef9a94c354368c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000013

MD5 871f7ecfcc9407aaaf179e917aa66306
SHA1 876298a6ca7cd90dace253636a70d1078a967140
SHA256 c0007603181a3cfcddbabde97699835d028309ebfd7ad2dfd528b6e24305ca7e
SHA512 64446cd7647fa751a28e327f05b30549a2d846dd0a6da0c60f98a2ca62db7e8dc0567b0a0b5dd61f38737515b4119ad02ba81b58512aed09a990085b5ac888f5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000012

MD5 79b9a3fa2b9659e042b021c7b5e2129b
SHA1 0608194000a372f4388a1910f388c1c0b7fb38da
SHA256 49e21d3a2743c40a16e5610bf6a1e0ce1a43c28f392ce741858f88cc17df736b
SHA512 a10f34b2890a46924ba2ed95522540ae1dc94051ab945dc471610b05dccb9991a0770cdcc256ca7012c58980c3cc2c671091d26b97cd65e454b514db6779ed8d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000011

MD5 8f85a434b0b0f86f391c877919778260
SHA1 03ab0b1102a6fab1dcbc72bc0f4ecbe9cb83db72
SHA256 cfa7de2e1edcd4d3ccbd5f5aa1abe9ede00e6a1c0e2425694509a0cd6f7cdf6b
SHA512 ecd8dc0136b6f123dcb647423a234ba8b5a183882e1bb5f62bf6b223e5b8579d30130ff2b73bbcfadb1b6081ea479273b2386c1e741fb74b94e0bb38cf5c98d3

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000010

MD5 af595823b58a295d054ec19b83c6c649
SHA1 5c1baa394075f5f94e7331c08e69d19c1c62cf97
SHA256 0af430ffbcee43a0743549f86c2d5a68b748d226c29357aac719a719afcd70b1
SHA512 6ab3fd59369fb986e2c53e1d015b73f156686adb46554a6f3e5ed074a83bedc6bcecc09b65189c5b7cacbcbb88006cd72da22dadd771dfa9faa36443f6b3fb45

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000f

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000e

MD5 db2bafd5a7299458ee228a5f55cafe46
SHA1 495b0477fc5af81b0106cd2e6bda8c80d818095a
SHA256 05cb8f3ad6c20f5a1ffe392b285749c857a8194ed761dfe4a62ce85a02102043
SHA512 8afb1abaccb447157d3045873ee9ec92d6858ce828b8a637d760d38561302e31e79e408d2bad51585a6585bdf0a4b72652e5e6e5799d4f3d171b120d1aba26bb

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000d

MD5 cb5b07718f0ee7a8b0dd097d8910011d
SHA1 23639c0ae36ba6f58dc94b1bbed93c84bcb09d61
SHA256 2b2c8477b6b2f9ca7b0be92348bc0a40efc430bf982bca4ebe28d9152f59219f
SHA512 68bf0353ca8fb90b6627109da722be32aa3365bd4eea19f642754dabac7c7b8a510c1641d2097348550fd5c45c803fb0adef6c2a7234ab1a69b477f3269b8c99

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000c

MD5 ccd8fdb35b360d667aabd139cf2f763d
SHA1 249cb9ff5099f07f488b4d5429634fe8a8ca6ea8
SHA256 8ed710089acb08631c28bdfcef5628a616b3a65e88372fd63977d0fbda249f1f
SHA512 b2feafbcc91a712fcce214212e57ce8a22b0badad52ae3e05947715828769188a46a5fcfd76eb8641087529e560b4b0b953e456bf58e4e46f0c5f67a6debbebe

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000b

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_00000a

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000007

MD5 785ba98032d1a64d795f115f16bf412b
SHA1 13f610f0770abaf57ee245dd4f2f37494e33fdc7
SHA256 764d4829ff63ea30ceb40a984e3074abff1e0769e5486b129cdf3e7e4d123d81
SHA512 ca7d8d510eacf8209c4696c32e15bd4bc3b1b3a0ed007761fc8a397a61c36a883c2d4bfc4bce14584cd0fcebfacfbbe1a5984c7eeea61646fed44ec8ec18eae5

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000006

MD5 14e37b3986e0a3f5110872a589683d2c
SHA1 a0e4ad876c0f2ca88f3de1fc14a8a339e7d3bfd0
SHA256 72fec780fc19c3445a8ede7f76eef26dd8b268276bdbbded6503f200eb74370a
SHA512 50108e210cca5cfee8d136568218dc6aed27e0db2011e863b28dc0376c849dd985d5109838112a1eb3c659baa14466e6c93192a171e0af8186a44fa1e01c8938

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000005

MD5 9eca09c2625eedee833e788a1ce6c448
SHA1 f41def5d8dfd373399f00bf86de98767d1de7f4b
SHA256 8078bdba0d3bde1ea8f61f857ea92e11de964fcc73b82ebd5733429f5c99c093
SHA512 44da3bf3706ad529bccf15ae8c7352d2b213015a317f236e6a570b8a091b6b86f6948ca9ab2d34ba1d4649a4fc49c98714138aa186dfb03382d1a1b74bc4ad62

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000004

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\f_000002

MD5 2ea328b8c1fab1a87e9709505e6c8399
SHA1 39d6e268afa5458b5ad87d1553ccd527e03f1e71
SHA256 58259fa43bf2d13865946ba8891e4bbca4fdfbae9ad3a0be40f9b3896193d698
SHA512 b6bb729520baa0f60419c544ee97f661f35270234ff273b07c2f92297f8849841668087cd8c93679b503a19a2f3c674d2aaa824eabff6bfd63e799cd5c10ed67

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\data_3

MD5 254ee571b7ed0ab2d06ab9acda6cb0db
SHA1 3afad90358fcfdb4f574e9558c941725752516f3
SHA256 786cfaf858ba35b70afee270e11485585c3608e27578f7a549daaf0ee2aa4fda
SHA512 f9056e6f391c8892521cca2f95a8db75cb4e3122fbdc960579328ffc93f0af557409cda8f29a0e7e1133d915ddf525a30ab62b8f9505710a83baa98491a9d7cc

C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ6CUK\Default\Cache\Cache_Data\data_2

MD5 ff6031ef3a72ffcdcab9625280ad8330
SHA1 46dc8c6eff9f2c982f0a4fabdeab0d2c127247cf
SHA256 de9ead31d9c0ce7aa921e475e90f9dce71738c28a1b1bed422fc0112a1058383
SHA512 a169172b3f8ae4cf50a8fc885bc275c0179334e4ac4e1e198a6bf52823ccf316c84a1aaf295c536621ce3fcf0f01095a87d7aef3d00049a47528e79e9d5d0590

memory/1604-831-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/1604-832-0x0000000000E20000-0x0000000001454000-memory.dmp

memory/588-833-0x0000000019A60000-0x0000000019D42000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 14:50

Reported

2023-08-10 14:53

Platform

win10v2004-20230703-en

Max time kernel

128s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3368 set thread context of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2696 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 2696 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 1964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 1964 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2696 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2696 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2696 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3368 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3368 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3368 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3368 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3368 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4140 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 2660 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 3348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4140 wrote to memory of 3348 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 5100 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 3876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 3876 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5100 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4304 wrote to memory of 372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4304 wrote to memory of 372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 4748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 4748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 372 wrote to memory of 4748 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2696 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2696 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2696 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 3992 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3992 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2212 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1716 wrote to memory of 2248 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\3020-61-0x0000000002340000-0x0000000002374000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#aphxvwqidivozfmt#> powershell <#aphxvwqidivozfmt#> -Verb <#aphxvwqidivozfmt#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=56878 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e11f9758,0x7ff8e11f9768,0x7ff8e11f9778

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1344 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1676 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=56878 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1972 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:41 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 14:41 /f /tn GoogleUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=56878 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2380 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=56878 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=56878 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3160 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=56878 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2376 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=56878 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3432 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2620 --field-trial-handle=1452,i,13014787770195238010,12053035172134452422,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x320 0x448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIQAL5" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIQAL5\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIQAL5" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f73146f8,0x7ff8f7314708,0x7ff8f7314718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=14754 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User DataIQAL5" --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1496,16256866349759108923,971668991209351362,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1504 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,16256866349759108923,971668991209351362,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1732 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=14754 --allow-pre-commit-input --field-trial-handle=1496,16256866349759108923,971668991209351362,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:80 pastebin.com tcp
US 104.20.67.143:443 pastebin.com tcp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
DE 172.217.23.214:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.206:443 play.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.206:443 play.google.com udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
DE 172.217.23.214:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2696-133-0x0000000000310000-0x0000000000344000-memory.dmp

memory/2696-134-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2696-135-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/2696-136-0x0000000004F40000-0x000000000504A000-memory.dmp

memory/2696-138-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2696-137-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

memory/2696-139-0x0000000004E70000-0x0000000004EAC000-memory.dmp

memory/2696-140-0x0000000005150000-0x00000000051C6000-memory.dmp

memory/2696-141-0x0000000005270000-0x0000000005302000-memory.dmp

memory/2696-142-0x0000000006510000-0x0000000006AB4000-memory.dmp

memory/2696-143-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/2696-144-0x00000000062C0000-0x0000000006482000-memory.dmp

memory/2696-145-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/2696-146-0x00000000086E0000-0x0000000008C0C000-memory.dmp

memory/2696-147-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/2696-148-0x0000000006200000-0x0000000006250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 80b0b41decb53a01e8c87def18400267
SHA1 885f327c4e91065486137ca96105190f7a29d0f9
SHA256 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA512 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Windows\Temp\setup.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4860-170-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-169-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-171-0x00007FF8FE050000-0x00007FF8FE245000-memory.dmp

memory/4860-172-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-173-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-174-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-175-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-176-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/4860-177-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/3368-186-0x00000000003E0000-0x000000000066B000-memory.dmp

memory/4860-187-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

memory/3368-188-0x00000000003E0000-0x000000000066B000-memory.dmp

memory/4304-189-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4304-196-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4304-198-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-197-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-199-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-200-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-201-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-202-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-204-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-205-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-203-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-206-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-208-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-207-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-210-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-209-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-211-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4860-213-0x00007FF8FE050000-0x00007FF8FE245000-memory.dmp

memory/4304-212-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-215-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-217-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-216-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-214-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-219-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-218-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-220-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-221-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-222-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-224-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-223-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-225-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-226-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-228-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-229-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-230-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-227-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-231-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-232-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-233-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-234-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-235-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-236-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-237-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-239-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-238-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-240-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-241-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-242-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-245-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-243-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-244-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-246-0x00000000FFB80000-0x00000000FFB90000-memory.dmp

memory/4304-269-0x0000000077E82000-0x0000000077E83000-memory.dmp

memory/3368-274-0x00000000003E0000-0x000000000066B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkiqtvdd.nxk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2076-317-0x000001D17B1F0000-0x000001D17B212000-memory.dmp

memory/2076-318-0x00007FF8DFB70000-0x00007FF8E0631000-memory.dmp

memory/2076-320-0x000001D179120000-0x000001D179130000-memory.dmp

memory/2076-319-0x000001D179120000-0x000001D179130000-memory.dmp

memory/2076-321-0x000001D179120000-0x000001D179130000-memory.dmp

memory/2076-322-0x000001D179120000-0x000001D179130000-memory.dmp

memory/2076-325-0x00007FF8DFB70000-0x00007FF8E0631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3300-328-0x00007FF8DFB70000-0x00007FF8E0631000-memory.dmp

memory/3300-329-0x000001DCF2020000-0x000001DCF2030000-memory.dmp

memory/3300-330-0x000001DCF2020000-0x000001DCF2030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3300-341-0x000001DCF2020000-0x000001DCF2030000-memory.dmp

memory/3300-342-0x000001DCF2020000-0x000001DCF2030000-memory.dmp

memory/3300-344-0x00007FF8DFB70000-0x00007FF8E0631000-memory.dmp

memory/4860-347-0x00007FF8FE050000-0x00007FF8FE245000-memory.dmp

memory/4860-348-0x00007FF6FA7F0000-0x00007FF6FBA16000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

memory/4684-351-0x00007FF7765F0000-0x00007FF777816000-memory.dmp

memory/4684-352-0x00007FF8FE050000-0x00007FF8FE245000-memory.dmp

memory/4684-359-0x00007FF7765F0000-0x00007FF777816000-memory.dmp

memory/4684-360-0x00007FF8FE050000-0x00007FF8FE245000-memory.dmp

memory/372-422-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/372-423-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/372-424-0x0000000002C40000-0x0000000002C76000-memory.dmp

memory/372-425-0x0000000005620000-0x0000000005C48000-memory.dmp

memory/372-426-0x0000000005580000-0x00000000055A2000-memory.dmp

memory/372-427-0x0000000005E40000-0x0000000005EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5441b9913e1852f5e2a1d22a7a2309f
SHA1 c86d4261ebcc78000d97c7a6b1fad7767a63da8e
SHA256 32f8998545c708c9530d01abb76e0f8e56bd0da3cb025d308f7a749ffda16e95
SHA512 808038f28677f0120f098b820cf838863b44409f429861c0fda5ed5687b928807a81873895d1cea67056d07d3c383b6f1dff3ae736f74e41e4a5b882106927bd

memory/372-438-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/372-439-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/372-440-0x0000000007590000-0x0000000007626000-memory.dmp

memory/372-441-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

memory/372-442-0x0000000006B20000-0x0000000006B42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/4748-447-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/4748-448-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/4748-449-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/372-446-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 450f0becf6d53bdcea5df95e1c90ef1d
SHA1 650094e9996e1c87c8615c3c07e7a203c86d7325
SHA256 31f017c8ccb005d657e78a18e3a6dc34bd7053669e6e408732ec6ad7b93ded66
SHA512 6c4765de23ed3e803dfb5d520fb6084b588557c7879b5811e8fe6c532a95d8076699d54fc59e019f119151dbf9b40807183a2a1042a63b1c263050ec210cb28f

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/3992-468-0x00000000009B0000-0x0000000000FE4000-memory.dmp

memory/3992-470-0x0000000077E84000-0x0000000077E86000-memory.dmp

memory/2696-469-0x0000000075370000-0x0000000075B20000-memory.dmp

memory/3992-474-0x00000000039F0000-0x0000000003A60000-memory.dmp

memory/3992-476-0x00000000066E0000-0x00000000066F0000-memory.dmp

memory/3992-475-0x0000000075370000-0x0000000075B20000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\CrashpadMetrics-active.pma

MD5 d998db6bb78f1336ff0e927205cd5dcd
SHA1 4d4a205d698b61b661514654b3917375f8ab644a
SHA256 32bce0ec12f35821550b935f0f9d841c1dcb83e9316c804190d0aa26881e9d9f
SHA512 c8e05fd8ab522baeab3742ceec64eea154ebb72f9408c82babec3d01ecad67886626c13a126b9290074d4149eef1be56853e9aea72c455147fe3f7039bbfe21f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Local State

MD5 785a09d58c0fd7a2d9932db956f9b3f6
SHA1 05eb40734d15af972770a03c05dbde1361956a62
SHA256 11d6bf86ad654c9b607aa4ff9fc4a88af920494314cf4747c84944f71378b4af
SHA512 1845ff3dff007ee7f18422601de9ab55d1579f0dc7f0260704c70194073ef783a76a62b89738eda503c9c92b216445a7dcf4e033d0fcde0affb39c2fe8aab324

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

\??\pipe\crashpad_1716_SELBAQMMOEYQPUCO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Network\Reporting and NEL

MD5 b0ae90b5ea27422ddef924091dec67ca
SHA1 d811fd346c13471050a76d7a8afc1559cd0c18c8
SHA256 a9d04667e33aa782ec528fa44431eebf572f6c4181091e94d3a5541c226d454d
SHA512 e99e42f1093b3b2a0958353b0a0f4c7e841c9bf0ec4ddb2ad1191b85da32f240d4e6cdad8df027fb5206fdc00ae66267bb118f8a545039d5189ae3ada543b54e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Local Storage\leveldb\LOG

MD5 130415d0c5ab799891c3e61d94fde430
SHA1 6a6e194111aee59b486c7a7f419afbb6bc86e659
SHA256 14cf0882de65c7b7740c378d25635129b06cb6355209264264d779248291bcc9
SHA512 c339ded641baf080779ad1f62eb7eaae5cfc4c0adc8d8503b286ecf1325746f09616323bcfbd7b0fa9813770d93c4ba2806d12778fdc4375fb92892af6e42c2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Local Storage\leveldb\LOG.old

MD5 555a6dc7f4c0ac48c35501643c2d5a92
SHA1 7fa3c7631654a3fa164f9fe114d1c3b0d2b40023
SHA256 334a737bf4fe06a79374a1b700cba9ea6cc1c527b50b6ea3fee91e5d8307df3f
SHA512 9e40f654e441c600c5321573b7d99e9dd27be0a1a432224bd7f93e5b011a3238692e252fada0596c12947ad0fcabab3199f10f4094c0eb250a1b2fbbda3b225a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Network\TransportSecurity

MD5 dabaceb7ab4768059a8fce49e60bbc69
SHA1 a686fee0a381069dc2e48f779ab219d627b67d51
SHA256 bf8a8df449a1e86f3f2e651bb33eaab8f9111cbc73a82418929f018d13b8edea
SHA512 04d46ea53ca2b3005ef903999de87f438b644833fd691cf5ac1eaebabe3b848c3c5598aee885d27e598e22a5c9b25bcff0ad489f5471047a2cf6734bcf904467

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Network\Network Persistent State

MD5 a2fa72efa0e5a5b69c2f64038a389657
SHA1 2a1803bdfa1a12b17834b68c015f450ab0fcf957
SHA256 1f36784e5c0acca33f150d383fc65469ad0f18fcb9834fbd0454f603ea0bd5ff
SHA512 9c0d42e74bf91cb699f7dc5abf2a07144dc386b3e1054fbda9b16239d2b23bad9f9f1a33cdcf435bf2c258edb9502412a00f1b356e82290b0820f2cafef5b6d5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 db118bd13fdf45cdf96b39e192fc8f16
SHA1 bac3138cd4e81cb39270c61b00857bd6182b00e6
SHA256 f05ca3edc45cea0664320b55b08f6b40da9d47fdf7f8b9f353e7008e00ba2a26
SHA512 1160cbb61ac6dc4bead52647a1da064679b5b8a07bb5e718c42a5d88dacdd0589e3df23126d16dad72a588a8eb9fce2db72bac63f31d892c80144eec62a7b101

C:\Program Files\Google\Chrome\updater.exe

MD5 84741bc02d2e9226a943aa03b6a4568d
SHA1 617d01316011faf77fba30d49ae1e86ff988380a
SHA256 fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA512 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ceb55874caaa878a9888cfcce833b4b3
SHA1 571f4324e177f7ec8c551f33e8304c64462a5dc2
SHA256 a29de15cd72f090b22d684f627b9473968767ea0e093fdef06af36d00f89dd4d
SHA512 ea6d102cec84c2557159aa594f6eda32ad787d3a5f85a75403ff39d308e4d492a03f26d6af9df4e49fa3c6f8de1facc7f206becda0da504615786171fd0b9c5d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6f2e6259e0a87a3ef9642f91b6bb461f
SHA1 d42d063c9ea19ef1a56df97f0978e8aed157e92f
SHA256 74e8a4c58e5805182f0ff6e54146b5286bbbf3083933bbfbcb21ab35d4c8c176
SHA512 4a9058e9fb45af6e485682f6f5dcf154d69537c9465f0b486e24e4d9b369c92b2ff5c20bdb086c6187eeccd391804194c857fb035f532d9e58bb920a24ed6829

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe597ad3.TMP

MD5 c850e592fdce2a75e6f98bad29314f0f
SHA1 1cc9946941bfade954fed22e8c13c540f87f998f
SHA256 f8a0974b65b25db57ec64045a399e616afdabdfe8d67b1dc82cb740aeace968a
SHA512 34eb2060430c080a2ab8d8012538e91c16de964562f8f0ea78b85b512783ac8d71fc16149c50725c00f2010a3aa31c0aaa2f1e72bfabb14d82cc3ffeb8a8b8b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6274fff2f216396c21594aad7fc6a871
SHA1 2ac4c2b4dcd2b49888c11e55fe76b3730174de0e
SHA256 1af98712ece91af35d3fd2741088dcdf9990451deba376b262b6920834700561
SHA512 b2d12c43e6480addcb219464f1013c91b889fe23f35e1746ca534647d59c398205195d4b9b9103833ba73b0d139bfe553b02ac7830f2163ea9fb92e3815dc950

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Code Cache\js\index-dir\the-real-index

MD5 6a16087c941196a754d5060f131475e6
SHA1 d6ad8f44f9ec371fd7419481a7632f8b8d4f6e98
SHA256 bac8f9c0dbd4855b2c850b175ee1d6b34c75d46adbec7f24bf25651ecc56da3f
SHA512 d24e79cdb0f528d0dd628d0f94d312950ef41b7f9d159cb8a0c13555daea1bf6bc565c2510ccc6b42e5a9e37d664b4d662348d2db3b3277aa8d5450d9066d9f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ea64ae0b-463e-4786-bd4d-26000e0c37cc\index-dir\the-real-index

MD5 f3c3903549abe714a88b0e4fc2dd8cbb
SHA1 538ba51525322a000e8b873c8b77de170c7f1340
SHA256 ed3ff72bd067819b0cbb9c135e7b01db125841f6fbdb76cd957f65101984dd78
SHA512 c9862f98fb1f557d3ad900b52ba96081c3bbb77976ad119d046d82c30d40e459fefe1206caa85861999be58c98cb4b4de18b9b77b392a2a8559b6d90e30b1e86

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Code Cache\js\index-dir\the-real-index

MD5 83b0a1255cd33851d440d54a1d7fb8f2
SHA1 5ba8df2b0ba6d6c3a3b9cd576c2531434e152a23
SHA256 b395651b767b01829e10f31e9fb010699803216b9ba22778ffda659cc786b749
SHA512 88c227152427e47f957555c7628cd86879b770e0eef2161b5abfde17e78b6af8de03f8f79036c4cf58d8c46d4c1f2e7ae48e21c5bc1d4590bbef9a7f11ca017a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ea64ae0b-463e-4786-bd4d-26000e0c37cc\index-dir\the-real-index~RFe5987a5.TMP

MD5 cf84acc0df4f74ac29e553796c643354
SHA1 fb74d34cdc9600c5deb85e4636a95adc9e6500cf
SHA256 a98ef538c9fc08a17905a59d2af29d3d0a2eaff22fd099788a2be34ad0c367d4
SHA512 7dd8821791a38f22207e65e3edcf467b585d7ff021178ca4e93a2c34201a721b81d26d185495b5593fa0d2af67fd503a65948d89304ebfa17b73bf0f60a67a5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4b33d6768a22725e112037e66d3c6006
SHA1 a0ab982e026e9ab2e38b43d05558f3b915f068ab
SHA256 b43be237d032de34e40abaa2c8585feae39a22cd86456b6269c044e030ff5f90
SHA512 01901cb5a6ac946a3911f3cc98eb215f692467afdf17e1121c14446881550d16026e689eac592d24ef3cb9299bad2e8282ec2a3faef346ed1f4fadc2cbc0dff0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5987a5.TMP

MD5 32749533451ecc027237cb3867ca7a7f
SHA1 b6efe8ff4b6e21e9578c659db72709c68794ca6c
SHA256 03d089602d353ec09bf03e389e4d185ea75a0e12d9d6d4e0084a98167940749c
SHA512 9cc365504a1858d6a95e9d678923845497a4f4e93373a0270e7fbc0162e039278d187c9be735370d69e6db22984ed5db9ff92295ed3032bc025a33792ca92fc6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000013

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000012

MD5 8f85a434b0b0f86f391c877919778260
SHA1 03ab0b1102a6fab1dcbc72bc0f4ecbe9cb83db72
SHA256 cfa7de2e1edcd4d3ccbd5f5aa1abe9ede00e6a1c0e2425694509a0cd6f7cdf6b
SHA512 ecd8dc0136b6f123dcb647423a234ba8b5a183882e1bb5f62bf6b223e5b8579d30130ff2b73bbcfadb1b6081ea479273b2386c1e741fb74b94e0bb38cf5c98d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000011

MD5 4e96db351538d4169bf9b8e46997036a
SHA1 564e83facf1f42b333d0a244e1d89eea5f2f8557
SHA256 ad14c57852be3c18422b078d69ec21d4112d19c6bf26e3c29184fb4c590ce7a8
SHA512 3566dc085f5c7ee75b5a0e7e6ecab4a9391b75c6220fee271faa1a0dcf48396ea685107d9e47370a9b78713f96a73d5002c797a337580df78a303a57a6159581

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000010

MD5 db2bafd5a7299458ee228a5f55cafe46
SHA1 495b0477fc5af81b0106cd2e6bda8c80d818095a
SHA256 05cb8f3ad6c20f5a1ffe392b285749c857a8194ed761dfe4a62ce85a02102043
SHA512 8afb1abaccb447157d3045873ee9ec92d6858ce828b8a637d760d38561302e31e79e408d2bad51585a6585bdf0a4b72652e5e6e5799d4f3d171b120d1aba26bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000f

MD5 189badc72a668aade50699ae05067c2a
SHA1 5458410fc96bcf08b29f204b05470dad5882afb9
SHA256 896d76b06fe7bc62fa10e8f9091b84584d8fdbd7eaaea1183f7c1e5e3a98c559
SHA512 287ff71f9b6ab261f989792cfee0b99e1745c57e8e8c9c3c55e07592a835008673a9ee5b2099ef9beb6ef4343c10827109b281b2fbed0fe0de1da020723c622b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000e

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000d

MD5 ccd8fdb35b360d667aabd139cf2f763d
SHA1 249cb9ff5099f07f488b4d5429634fe8a8ca6ea8
SHA256 8ed710089acb08631c28bdfcef5628a616b3a65e88372fd63977d0fbda249f1f
SHA512 b2feafbcc91a712fcce214212e57ce8a22b0badad52ae3e05947715828769188a46a5fcfd76eb8641087529e560b4b0b953e456bf58e4e46f0c5f67a6debbebe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000c

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000b

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_00000a

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000009

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000008

MD5 d4898b52a84026a5022200fbaa820c65
SHA1 791409e8c187418be773aa7f589a2c8e52c41ce0
SHA256 6e6f37d4f8892d41b4b850bc7753f84da6f73d833636125df25ca7bd4c86775f
SHA512 1480c1055eb8efe74645942e087c35d7c0cb5239bc53b350f19e278e5a2522607025cf9dc5c8d30c76e102fc15edb768fa99c9298b77050664fa9520324cff23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000007

MD5 3cc207ec29df84cc9c7bb2f8597c5adf
SHA1 b2727aa32e5775cb770e86e0e032468f5756c324
SHA256 17b71418c324214cd860964bbfa7bf41a083bbc4239ef7ea47e48bb370cf20ed
SHA512 af86dcf56fe69da703ad2280da6e998219e34b0da8564b82009fd993f8c80d7675bec3c80ca136722845bfb3f7e526c46154a69099c7bbb9bac141504de461ce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000006

MD5 dc1a475aad930bc6bdee639ba2df283b
SHA1 7fd6b05e23175d282b56b84c90daa6b6b9426fc8
SHA256 4bb0d3921522a05875a11207eb489a2aacce7be42a22b0c833139b210b522f96
SHA512 b1f3e669034a6071f11514f63956292dc5fc20a41bb5d8ba9997836dd69e815ee773d93dc804e130edff5b6a10ed9c7c3a1cf8e37a1740ff03d05b95c5d91f56

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000005

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000004

MD5 785ba98032d1a64d795f115f16bf412b
SHA1 13f610f0770abaf57ee245dd4f2f37494e33fdc7
SHA256 764d4829ff63ea30ceb40a984e3074abff1e0769e5486b129cdf3e7e4d123d81
SHA512 ca7d8d510eacf8209c4696c32e15bd4bc3b1b3a0ed007761fc8a397a61c36a883c2d4bfc4bce14584cd0fcebfacfbbe1a5984c7eeea61646fed44ec8ec18eae5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000003

MD5 1f5b94b1bb27142a7df6d855f1e423b8
SHA1 e725daedd4fff25222271a2b14a657b9f367055d
SHA256 f78f0d82877b3ab53ca4f56d88f7b0d87f370b39efdfa2f6609202dac2089aa3
SHA512 cb3d499e740a475487da8a8f997a1f327a5da00d50e72e5bf34096f1a1119c65439afcf146b5948c56ea4316d262ffcc1261b25ce69e19af5703377d19ba1f33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000002

MD5 2ea328b8c1fab1a87e9709505e6c8399
SHA1 39d6e268afa5458b5ad87d1553ccd527e03f1e71
SHA256 58259fa43bf2d13865946ba8891e4bbca4fdfbae9ad3a0be40f9b3896193d698
SHA512 b6bb729520baa0f60419c544ee97f661f35270234ff273b07c2f92297f8849841668087cd8c93679b503a19a2f3c674d2aaa824eabff6bfd63e799cd5c10ed67

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\f_000001

MD5 be2557e3c45f7ffa3891abd79e4c578a
SHA1 7c9d5c0ce7ce1f1ceba3ff5257389bc866746ffe
SHA256 26223c558b108175d40d27073fe6ba12583b4468e4ac5b0ab20ddc5794430e82
SHA512 a68c65b9c1a557566e9c058e3a371784d8533065717ea3f136d0575cceadaebf4a3911ac18f054a9d96a6dbfe4f300f91fdc57656e01be5b50cf8f902d9d3592

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\data_3

MD5 9c96dbdb444dd326cc3898f766fb81d4
SHA1 c5e924b48bbdf4e419e58cbbf6900f023edc720c
SHA256 0431a54060acb78cee1a6e28f9c7ace0d9dc46733f6132baf1fede78ec0870e6
SHA512 c31e8789dd5be199bcd757ba767e75b5db6d529ca2c2bd52105da19409133caa41c8b745c18dd645e596f50ba6c47a8a10fdb37339081f78cf65ab3d00fe21c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\data_2

MD5 08ee921701da2772f7bc402b100573af
SHA1 e296ecd5e6e863b3d647233c0b7834940ccf862c
SHA256 bc459ebdcbeca205a81ffe1a668a95aa0b6d618f98ce9725a1806771a245c61d
SHA512 de46faca6383535a9e2bb5e3db4bee1cfc2f9d19a0473a42e30ae82a71974579263c7383a0ca20d65f5ae1d4fa6d839775428dcbb70395a7806505544fa1cd3c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\data_1

MD5 86bec55d395a6ffeefe303428c62445b
SHA1 8394190ddb4afd6acf4eaa9952d521b85022ec1c
SHA256 f70b537ad368b91e42ca6c7a6cdfdaf07040fa61e85b80455509e4407a28c4c7
SHA512 7783aba75d45082fa1f84f5701004f41a6bef68d976ac176bec798b09fcd3113299fb2f3cdca916365525ab900bacede750af975191823cea58d25c486002ac6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\Cache\Cache_Data\data_0

MD5 3a7e7eeff4547823c4d040b6bc7c67f6
SHA1 583ac0060cf87f5b32d19e4753f8a55c1d974488
SHA256 3c36b1a1b5cbaf98ed1a5e2e189115ad3842c7925ec3f4ddacce317039baeec4
SHA512 1306fee28f6f0983ecd4d0af2c34f99e927fe8772f03157e0fb403a9c10fbb8aa92a27c2e1f4e8a3648784d7ab76456d7c8783770f7ab254577469fa820a2eae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Default\chrome_debug.log

MD5 e1d77e6b34d1ed8df2948f4291e0d3cc
SHA1 c5a4b9587110930636eebbc9ba4023a8e44b95cf
SHA256 208891dd63d978e42e45da6aa2f2de1b26543fa519b555fdc2485e91374e84fb
SHA512 28d7f4dacf95f189889c003ecbcded29c541be43e787e607f1ddbcd9a6c8caeef8681aa4f54b68dbae3f2e97bf110c780502d81b2f964164e1209300e054dd1d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\Crashpad\settings.dat

MD5 50b7d3aad098f8af85e70f07687bb7b2
SHA1 f8dab39f8ffbcb7e71d7d29f0c46f830e0385093
SHA256 91381eadac37efa21bc33a0d05813caf26b388e292d6c2993ea6a4d9b1b1d725
SHA512 e74fd3da52ffcb1dc4d4cf5f86e169ef9f90308dbf468c10c5692a5763fc01185ddeeec3643221ba6a5e217e2f3b6a08e818401b1b52280d1b5192b1274911e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data3Y52G\DevToolsActivePort

MD5 6877938d1a63ddd95684d2c85ab4796b
SHA1 e12cb3fe00eeffa58f3fec47a83ce963c1f01b75
SHA256 e7a5c304a996a21d5919469fb255a8563d4ebb106428d2f5df38e62dfc0e000f
SHA512 a9e31b1768cfe17b4325699252192375baa51afff0c1ad1015e007deb9c08f059f82da16b028d81c887ce8b8a795314cc3037f714d66f733182107bb2b1e98af