Malware Analysis Report

2025-01-18 07:59

Sample ID 230812-fwnmpacb4s
Target 2780-62-0x00000000031A0000-0x00000000031D4000-memory.dmp
SHA256 6500b57ce7a74f9df49618687dcca6debb7dc8cb3e274cabee464c5304587a43
Tags
logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer evasion themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6500b57ce7a74f9df49618687dcca6debb7dc8cb3e274cabee464c5304587a43

Threat Level: Known bad

The file 2780-62-0x00000000031A0000-0x00000000031D4000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

logsdiller cloud (tg: @logsdillabot) redline infostealer spyware stealer evasion themida

RedLine

Redline family

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Themida packer

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 05:13

Signatures

Redline family

redline

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 05:13

Reported

2023-08-12 05:16

Platform

win7-20230712-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe"

Signatures

RedLine

infostealer redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe"

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp

Files

memory/2656-54-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2656-55-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2656-56-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2656-57-0x0000000000560000-0x00000000005A0000-memory.dmp

memory/2656-58-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2656-59-0x0000000000560000-0x00000000005A0000-memory.dmp

memory/2656-60-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-12 05:13

Reported

2023-08-12 05:16

Platform

win10v2004-20230703-en

Max time kernel

32s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe"

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cli.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3928 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3928 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 3928 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3928 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3928 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 3756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3756 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 3928 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 3928 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 3928 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 2948 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2948 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 224 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 224 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 1296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 1296 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 4820 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 2472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2428 wrote to memory of 2472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\2780-62-0x00000000031A0000-0x00000000031D4000-memory.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 284

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb3cf39758,0x7ffb3cf39768,0x7ffb3cf39778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=27455 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF" --profile-directory="Default"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1340 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1684 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=27455 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=27455 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2388 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=27455 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2568 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=27455 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3192 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=27455 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3364 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=27455 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3524 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3460 --field-trial-handle=1452,i,14013704302641827857,10346568274792365688,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3c0 0x40c

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.131.255.8.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
N/A 224.0.0.251:5353 udp
RU 185.149.146.118:80 tcp
US 8.8.8.8:53 126.149.241.8.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
NL 142.250.179.206:443 ogs.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
RU 77.91.77.144:80 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.250.179.206:443 play.google.com udp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.250.179.150:443 i.ytimg.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.251.39.106:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
NL 142.251.39.106:443 jnn-pa.googleapis.com udp

Files

memory/3928-133-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/3928-134-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3928-135-0x0000000005340000-0x0000000005958000-memory.dmp

memory/3928-136-0x0000000004E30000-0x0000000004F3A000-memory.dmp

memory/3928-137-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/3928-138-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/3928-139-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

memory/3928-140-0x00000000050D0000-0x0000000005146000-memory.dmp

memory/3928-141-0x00000000051F0000-0x0000000005282000-memory.dmp

memory/3928-142-0x0000000006400000-0x00000000069A4000-memory.dmp

memory/3928-143-0x0000000005290000-0x00000000052F6000-memory.dmp

memory/3928-144-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3928-145-0x00000000061E0000-0x0000000006230000-memory.dmp

memory/3928-146-0x0000000008990000-0x0000000008B52000-memory.dmp

memory/3928-147-0x0000000009090000-0x00000000095BC000-memory.dmp

memory/3928-148-0x0000000004C10000-0x0000000004C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

memory/2948-165-0x0000000000520000-0x00000000007AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/224-183-0x00000000006D0000-0x0000000000D04000-memory.dmp

memory/224-186-0x00000000773F4000-0x00000000773F6000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/3928-189-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/224-190-0x00000000032B0000-0x0000000003320000-memory.dmp

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/224-185-0x00000000006D0000-0x0000000000D04000-memory.dmp

memory/1336-191-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-194-0x0000000000900000-0x0000000000A27000-memory.dmp

memory/1336-193-0x00007FFB5AC70000-0x00007FFB5AE65000-memory.dmp

memory/224-196-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/224-198-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/224-201-0x0000000005FF0000-0x0000000006012000-memory.dmp

memory/224-203-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/2948-204-0x0000000000520000-0x00000000007AB000-memory.dmp

memory/3516-208-0x0000000000900000-0x0000000000A27000-memory.dmp

memory/1336-206-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-209-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-212-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-215-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-245-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-248-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/1336-241-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-249-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-251-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-252-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/1336-250-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-254-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-256-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-257-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/1336-255-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-259-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-261-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-263-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-264-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-266-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-270-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-271-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-272-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-273-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-274-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-275-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-276-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-277-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-278-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-269-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-280-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-281-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-282-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-284-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-285-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-287-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-289-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-291-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-293-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-294-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-292-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-290-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-288-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-286-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-283-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-279-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/2948-304-0x0000000000520000-0x00000000007AB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

memory/3516-262-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-260-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-258-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-253-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-247-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/3516-319-0x00000000773F2000-0x00000000773F3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Local State

MD5 f3f6e9f0b1433d96dd5c4040df198bf5
SHA1 9a257183ea451cbb8e4763238d90fec6c2843206
SHA256 7c0e9090c663046ef083a894d6ded423130f3547e6c7949e610144a46a95ca05
SHA512 6130d5570f209ba8a232475909430649662c7c4ed0aa943a5571e007fef52b2568a1d458647fc8d6eb0147339275a569e4d37d858b892d1e32a0cf6428d1fcee

memory/1336-210-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/3516-211-0x00000000FF4C0000-0x00000000FF4D0000-memory.dmp

memory/224-200-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/1336-192-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/224-324-0x00000000006D0000-0x0000000000D04000-memory.dmp

\??\pipe\crashpad_2428_IAWAXCJFLJALQENS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Network\TransportSecurity

MD5 5858331c4b508ec8beddc4863546adfd
SHA1 d90fd437538c919fd47e95872b1769ddbbd05b88
SHA256 d26fada14af488085127f39ecbc98873c893b70cab2ff2685f53d62c33906ba1
SHA512 a262eaec21e5d726caee06a8bcf1d3a753ed736907abfb0279f765a5037b9cfbcea8349b3b1a29b9d68080939d910e1df4a2c0a54f06ed3ef90a00d7cac13e17

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Network\Reporting and NEL

MD5 ac9c8c1d8b9425547c0e58478f05cce3
SHA1 fbed434793e942175e9a077aebc3a69ae45fcb27
SHA256 d0fe65d48a7ad1a95bc2be0589bea3f3765457204bbf0c562a52a79078934ffb
SHA512 9d3064c08a279cb17bde40bd133d44029477d5aa285d788289db3ae37c31377e79aaffa842828a9f345efa3f93ea0044468e92d78e61c59656ccdcd2f8df0558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Network\Network Persistent State

MD5 e0e9e3b9ad31b9371623a9226cb8716f
SHA1 1ece83217d8b6ed3e403dadc1b9bcf5aa6f91f14
SHA256 012bba5b03263c051159ef9d8610840bf0e20aa1fa3315e5df6c8a22a72b0e12
SHA512 94a5acdc7ecf3e544a5d38953a21fd6161f6516abaa748d3040c2123a673feba31b2046290ec1ed843f318a6c9d7d62218f3e850af4c028e2236939af5de03d4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Local Storage\leveldb\LOG

MD5 ab2f88de80a867e4dbbcb71f018dd5e0
SHA1 318eb3113f0ed5b8e5b627751b445f2cff84d053
SHA256 4af3901ee764af96bc5cf8d06edec374da93278707122aea09a1458b55858291
SHA512 2d0f70372dc54d6e0876ca068fb92d8770e97ee5cd94b2a363a2c84a6f85ced7b946cdddaea437222f9c7467e49f00ab4929e7e9cd087f2a6b143530f6450ea9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Local Storage\leveldb\LOG.old

MD5 b8fd2c7b4349e3d669d9b1b7bab5b247
SHA1 acfa8f05b218aac46c498f9e2ee0fcd0b8ebc3e2
SHA256 350a9c0e3843399defeacfe2b39ae3c4cf6c7fb71495cadd3aecc9f368038400
SHA512 4db91015ca8d41aaf1b119150ac8c925461a35d7b5320096d9e56efe0a515281be19afa3deaddf01c57822663d781a5f834d4b2dd91aa2c931b8708ac57e8f08

memory/1336-373-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/1336-374-0x00007FFB5AC70000-0x00007FFB5AE65000-memory.dmp

memory/224-377-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/224-389-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/224-391-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/224-390-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/224-397-0x0000000005E90000-0x0000000005EA0000-memory.dmp

memory/2744-398-0x000002C2C3440000-0x000002C2C3462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxemttll.qi4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2744-404-0x00007FFB3AA80000-0x00007FFB3B541000-memory.dmp

memory/2744-412-0x000002C2DB960000-0x000002C2DB970000-memory.dmp

memory/2744-411-0x000002C2DB960000-0x000002C2DB970000-memory.dmp

memory/2744-422-0x000002C2DB960000-0x000002C2DB970000-memory.dmp

memory/2744-441-0x00007FFB3AA80000-0x00007FFB3B541000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4948-478-0x00007FFB3ABA0000-0x00007FFB3B661000-memory.dmp

memory/4948-479-0x0000024EB2590000-0x0000024EB25A0000-memory.dmp

memory/4948-480-0x0000024EB2590000-0x0000024EB25A0000-memory.dmp

memory/4948-491-0x0000024EB2590000-0x0000024EB25A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 06660a8778486613d049b82d64ea3632
SHA1 1a317a40a29bb4ef60ea63a8e90e35debfe9759f
SHA256 5920208300170d61aef5bc1d574a8fddf8ab84db52154912f2933a7357e98396
SHA512 bda1b27fc39dc127a7164281fc130fe9b4f19aa69a486fbaed5867f801ee438a05d4752f6a42ce11c503ca2dbc0ac36834c6470669bc27dd507704443313ef69

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2e47052e7d1d365e44f012ecfba3dbc7
SHA1 e6b87f6826b0dae69a81794184335b6f5066fd36
SHA256 7b63806af0c63312a1f1d9aa04f4749a211351b1fc6b117bb97f142638bf907f
SHA512 c5b1bf429b49c719535c637d948cc3f6cf42e07baad35c44891feaa923da16990bdbfcf03b55d9f182ed0d1e4f77265f2886fcea0b3f5ccd5d12dab656be2b71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5839d8.TMP

MD5 cf390f0dd61b9a8228b82cad52f2eb12
SHA1 5658c495e842576fe2cb7c322619fc80f904eaa2
SHA256 624104aebb2a98a6ed1f5de3eb299397e45ed17518024eaeeb21f77f60ba7a8d
SHA512 aaa42c599b691e720c1ecabc76a6d7d4b83cc8f22fa0e22be26a9eac39785870da36d1b860e36c59f475b0e6b16b19a6e234bfafd309372cbb75beb1bcb19a1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data5EOUF\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/4948-533-0x0000024EB2590000-0x0000024EB25A0000-memory.dmp

memory/4948-544-0x00007FFB3ABA0000-0x00007FFB3B661000-memory.dmp

memory/1336-547-0x00007FF77A2F0000-0x00007FF77B555000-memory.dmp

memory/1336-548-0x00007FFB5AC70000-0x00007FFB5AE65000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 489ebe618467ec9363d73570b7cee861
SHA1 26df0666f941cc54621607dafe4e3be1b1e75359
SHA256 e950e74caf4023e363801b67fe3eca901f26312e90c535cb5c347f03ce39ba15
SHA512 30cdf66c3ba56ac43ba9920a24d2fa144bb41715416da20445dafa28bdfdaed035ac2ded1c35d7f49b92eb5ca3766a9a4bd0fb46971dca7cbb257f900cdab5a4

memory/3740-566-0x00007FF749690000-0x00007FF74A8F5000-memory.dmp