Malware Analysis Report

2024-11-16 13:33

Sample ID 240526-1nwzbadb51
Target заебло.exe
SHA256 4d509fb0a36f1ae2991f0e6fb7ec5837d722c426b79178e207fa59fbe1bea547
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d509fb0a36f1ae2991f0e6fb7ec5837d722c426b79178e207fa59fbe1bea547

Threat Level: Known bad

The file заебло.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Creates scheduled task(s)

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 21:48

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 21:48

Reported

2024-05-26 21:52

Platform

win7-20240221-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\заебло.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\schtasks.exe
PID 1716 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\schtasks.exe
PID 1716 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\schtasks.exe
PID 2524 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 2816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2524 wrote to memory of 968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\заебло.exe

"C:\Users\Admin\AppData\Local\Temp\заебло.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\заебло.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'заебло.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FD991FE7-4CB0-4038-B446-54D8795DB480} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 involved-delete.gl.at.ply.gg udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp

Files

memory/1716-0-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

memory/1716-1-0x0000000000830000-0x000000000085A000-memory.dmp

memory/1716-2-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

memory/2576-7-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/2576-8-0x0000000002470000-0x0000000002478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 536ee90f3dbced0710b03dfcdf4e5ad4
SHA1 051f477043e68c0565d7fb654eba2b06a44e6226
SHA256 b8d0e3f1d93b4361645da061104523314289bcf1066f0ef12ff02fc4b31c3c2d
SHA512 4025b7e5bb6030a66dde9dcaaed414e829686435ca68fac98f4abf6f17751f01467c09edda982c16296c958fe1c6ee00af8c9198748a6eef209cc7b3f1d408ae

memory/2644-14-0x000000001B180000-0x000000001B462000-memory.dmp

memory/2644-15-0x0000000002420000-0x0000000002428000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 5564cabd0a4507eab2361da606eef877
SHA1 f8157479222fa2596fe95d3285f178398cdfd233
SHA256 4d509fb0a36f1ae2991f0e6fb7ec5837d722c426b79178e207fa59fbe1bea547
SHA512 ca059498604f20baa9420b60b3178c76017b73b7dad172f0297524e49976914058fdffea40cd06382011f239fe1bbc02cf87e2a53ec1f5b022fef223cfb9916b

memory/2816-35-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

memory/1716-36-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

memory/1716-37-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

memory/2188-40-0x00000000010E0000-0x000000000110A000-memory.dmp

memory/968-42-0x00000000012B0000-0x00000000012DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 21:48

Reported

2024-05-26 21:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\заебло.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612338275985592" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\schtasks.exe
PID 2544 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\заебло.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 4548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 4548 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 3448 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 2792 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2236 wrote to memory of 1420 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\заебло.exe

"C:\Users\Admin\AppData\Local\Temp\заебло.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\заебло.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'заебло.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf821ab58,0x7ffaf821ab68,0x7ffaf821ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4584 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4664 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3452 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4488 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5156 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4800 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5012 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x324 0x150

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5764 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5676 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5936 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6092 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1952,i,10066094948762798562,14559751780067484939,131072 /prefetch:8

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 involved-delete.gl.at.ply.gg udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.215.36:443 www.google.com udp
FR 216.58.215.36:443 www.google.com tcp
US 8.8.8.8:53 131.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.174:443 play.google.com udp
FR 172.217.20.174:443 play.google.com tcp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
FR 216.58.213.78:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
FR 216.58.213.78:443 clients2.google.com tcp
US 8.8.8.8:53 78.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 162.20.217.172.in-addr.arpa udp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
GB 64.210.156.20:443 ei.phncdn.com tcp
GB 64.210.156.20:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
GB 64.210.156.23:443 ei.phncdn.com tcp
US 8.8.8.8:53 media.trafficjunky.net udp
US 8.8.8.8:53 prvc.io udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
GB 64.210.156.23:443 media.trafficjunky.net tcp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
US 104.21.56.52:443 prvc.io tcp
GB 64.210.156.23:443 media.trafficjunky.net tcp
US 8.8.8.8:53 unpkg.com udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 20.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 23.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 52.56.21.104.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 104.17.248.203:443 unpkg.com tcp
US 8.8.8.8:53 ss.phncdn.com udp
US 8.8.8.8:53 eg-cdn.trafficjunky.net udp
PL 93.184.223.43:443 eg-cdn.trafficjunky.net tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 ads.trafficjunky.net udp
FR 172.217.18.202:443 content-autofill.googleapis.com tcp
US 66.254.114.154:443 ads.trafficjunky.net tcp
US 8.8.8.8:53 hw-cdn2.trafficjunky.net udp
GB 64.210.156.6:443 hw-cdn2.trafficjunky.net tcp
GB 64.210.156.6:443 hw-cdn2.trafficjunky.net tcp
US 8.8.8.8:53 72.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 203.248.17.104.in-addr.arpa udp
US 8.8.8.8:53 43.223.184.93.in-addr.arpa udp
US 8.8.8.8:53 hw-cdn2.adtng.com udp
GB 64.210.156.0:443 hw-cdn2.adtng.com tcp
US 8.8.8.8:53 storage.googleapis.com udp
FR 172.217.18.219:443 storage.googleapis.com tcp
US 8.8.8.8:53 202.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 154.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 6.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 0.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 219.18.217.172.in-addr.arpa udp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
US 216.239.34.181:443 analytics.google.com tcp
US 8.8.8.8:53 ew.phncdn.com udp
US 8.8.8.8:53 cdn1d-static-shared.phncdn.com udp
US 8.8.8.8:53 157.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 181.34.239.216.in-addr.arpa udp
US 104.21.56.52:443 prvc.io udp
BE 64.233.166.157:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
FR 142.250.201.163:443 www.google.co.uk tcp
US 8.8.8.8:53 ht-cdn.trafficjunky.net udp
US 8.8.8.8:53 etahub.com udp
US 66.254.114.62:443 etahub.com tcp
US 8.8.8.8:53 163.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 galleryn1.vcmdiawe.com udp
LU 93.93.51.190:443 galleryn1.vcmdiawe.com tcp
FR 172.217.18.202:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 a.adtng.com udp
US 66.254.114.171:443 a.adtng.com tcp
US 8.8.8.8:53 ht-cdn2.adtng.com udp
GB 64.210.156.19:443 ht-cdn2.adtng.com tcp
US 8.8.8.8:53 62.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 190.51.93.93.in-addr.arpa udp
US 8.8.8.8:53 171.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 19.156.210.64.in-addr.arpa udp
US 216.239.34.181:443 analytics.google.com udp
US 8.8.8.8:53 qckload.com udp
US 34.225.210.0:443 qckload.com tcp
US 8.8.8.8:53 www.securegfm2.com udp
DE 18.197.208.17:443 www.securegfm2.com tcp
US 8.8.8.8:53 dg-videos.b-cdn.net udp
US 8.8.8.8:53 0.210.225.34.in-addr.arpa udp
FR 143.244.56.49:443 dg-videos.b-cdn.net tcp
US 8.8.8.8:53 17.208.197.18.in-addr.arpa udp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
N/A 127.0.0.1:53750 tcp
US 8.8.8.8:53 evtubescms.phncdn.com udp
GB 64.210.156.1:443 evtubescms.phncdn.com tcp
US 8.8.8.8:53 ht-cdn2.trafficjunky.net udp
US 8.8.8.8:53 1.156.210.64.in-addr.arpa udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
GB 64.210.156.20:443 ht-cdn2.trafficjunky.net tcp
US 34.225.210.0:443 qckload.com tcp
DE 18.197.208.17:443 www.securegfm2.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
FR 172.217.20.174:443 play.google.com udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp
N/A 127.0.0.1:53750 tcp
US 147.185.221.19:53750 involved-delete.gl.at.ply.gg tcp

Files

memory/2544-0-0x00007FFAFCB13000-0x00007FFAFCB15000-memory.dmp

memory/2544-1-0x0000000000510000-0x000000000053A000-memory.dmp

memory/2544-2-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp

memory/3464-3-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp

memory/3464-4-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szay3we1.5hg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3464-14-0x0000020261190000-0x00000202611B2000-memory.dmp

memory/3464-17-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f3b96b24f06e2d37a46e43e8b784f56
SHA1 7be6702c5867f359e913eeeecdd5b76698589295
SHA256 8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720
SHA512 d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

memory/5104-56-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-58-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-57-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-68-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-67-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-66-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-65-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-64-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-63-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

memory/5104-62-0x0000028DBD2B0000-0x0000028DBD2B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

MD5 ff129d38ff726cf823ec6ae6167e9f5e
SHA1 d9fb7daeaf5ae7f241c92e1e20e56902cd3db1ff
SHA256 202c62490e8f78616da11349a030a14e2fab58a048061fcf878f345387460b02
SHA512 08967b5eb515edcedbd81f506b264a283dd146b549eabc57326719c47074f10600c9106713c9acbb46d225a1a4235e0892e968448f4e3a18aba874c4dec03f82

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 5564cabd0a4507eab2361da606eef877
SHA1 f8157479222fa2596fe95d3285f178398cdfd233
SHA256 4d509fb0a36f1ae2991f0e6fb7ec5837d722c426b79178e207fa59fbe1bea547
SHA512 ca059498604f20baa9420b60b3178c76017b73b7dad172f0297524e49976914058fdffea40cd06382011f239fe1bbc02cf87e2a53ec1f5b022fef223cfb9916b

memory/2544-71-0x00007FFAFCB13000-0x00007FFAFCB15000-memory.dmp

memory/2544-73-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp

memory/2584-77-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-76-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-75-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

memory/2584-87-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-86-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-85-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-84-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-83-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

memory/2584-82-0x00000246B80E0000-0x00000246B80E1000-memory.dmp

\??\pipe\crashpad_2236_QZGTHREMSFTQEGYB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 acaf03cfac762d96ddae4b4a617fada9
SHA1 a4c95046a787abb69f6a0325de9062e4d9aaf2c4
SHA256 37ac2013241ba6271f9375e1fed4be04d21f1da9a19a16439e264bb2e2366127
SHA512 907c665e301e4cea189127339c0edaf6fa0f73c599a7cd2c9ddab2edf35dc01eae17c5960c95152eedf94943be9c1829f5a5c01fec3ee73ca3e92ae1ffc7f671

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4c151d9510c54526188b94bbb0d6b81e
SHA1 669da36ea38fc1a2f1cc21efa0ba5f6e0ecea3cd
SHA256 d1e0e2c659c273755a6fed6c85f1b2b26a38eee1b6170d5fb4e8198972305dcf
SHA512 8e7f3698ac2fde6cc071afa24e8284bce26e511e073590dd794ad4894e9dc65875937b513e6f22a385da318e123cb5ce15f9267e3822b5dc1bead0a4f0714a15

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 d5c7b6a2c4867567759d56de9cd068e1
SHA1 6d928282447ef639644fbdf76b85b3ac3255fe41
SHA256 6c105e1c4103a325169c628ac11ed6e4ee30e6fc5badcc6d5f7612fcd739f23f
SHA512 456bf837bf16bbb1f9ef8ccf9a65f5a933d3a2a734ed3b9e4c138b6ee2d292bf30701d13de5ffb6ecf54ab58edf0284cf5a22a6f19f128773856345c61197b8f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 8e2fb60f098982d9609e7f4022a1b527
SHA1 957688abf913eeab2cd4b4fca85489e10c1a9647
SHA256 97b87e394eda64c10ce644609c1b20d067557d42317ec4a3d0f9f6281d54caa5
SHA512 baca6452dee641e5517977ffd77f27db96ba5a45558d69be36f2431e48d4cfa6c5a4f31225dfe8ca5b104dd67ba03fb1cea3ed02b51e62d1fd6c36e8ebffd50b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

MD5 9b129dfd3909c6f9f07a8bb0acfe1cc0
SHA1 abe9ff1bb8bc6297d20a917cc7d7f84bd32aec26
SHA256 c6bf2ee424e67a09c164af5dd9a75bb1b446a4a6f50e6ee3a7d896f70ccf8f4f
SHA512 b103c37f466d5ff6f1d9cf79ca92601c060fefba9c91a8f261cea01a3374e329655742f8bdfce68e0ad0648a3bbabc66d786aa068dff32fe2bf0779bbe3067db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 767c96b6aeb3bcfeba0ce8104a2bc6db
SHA1 329f37d3f030b7d42426c5d03cb3658e4ae7bbf6
SHA256 755b5c58990977ab3539b4615fe0c0c878f5fde2df387dc3aaf5c3028db3ebd9
SHA512 c78c7af5ee6296664257cab56b715acb2831c6c114da7f80b22671a94fb16ed8066ca80846d74081b7db860b86a3a92c307c66bc083732e06e55b1846345dd06

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6a2869929812fce4a20703496a055ce5
SHA1 eb7fbc70e0dd6e95c6655df71e5851d4093923c3
SHA256 9aac3d81e44653c4be965b3735c14b049e972d6f55f74b28bd28dc402a9dd3a7
SHA512 08bb128c1efe6791da62651329a6cd998fe630c13e2e3b51b1f88df90bc7204ec939eff926a66d79b75227320c5aac67ee369b7e5c0e2a9f1adc7b9be3414da8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

MD5 75f1d5724eddb6c481e2e87727c0a19d
SHA1 3cfe079018e25b2646f23e0744bc5af2114ee256
SHA256 751f9ea75e28033193df30031bf3d33e0553e1644ccbaecb26fe7d3bda21b78c
SHA512 a52fade9a438e7896f12afb5b8cccf05ab2cdd71dcc8683ba80001e74800d0c6a6d446d162e75eff573ccfc7106c1beb6f91bdd41753b81a6f5b7510c7c36b4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

MD5 c8e9e47eaa575af3e09d7a3f47ed7472
SHA1 49c43cefb89a7adfb758c4a88a5faaf1b96345cf
SHA256 f56f2a05e335c8a3578d536d200952cd3cb8dfd8ec7e78f60a251b91899f2b76
SHA512 29ce997447de6a0c89cf25b2d082d51ed7073a54c408198dda09c1a3fbfb8651ff514175b62dfd163a2212f0e243167d38038eef3394d0337fe84b1deee941f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003d

MD5 6b1647f87ad693d177429042a2b53381
SHA1 778dd9f5ee99236e23f224c1ea5ae31477cda774
SHA256 0e367dd125300d8405ea99966ba138b2c6e5b98f0c4b0e842c6c3e1a9d42b847
SHA512 ae2fef8be658be4e06f60ab9dd86c57abda7c0ffde5b45490699c618a3ebe3fcd08a6ce01f933cbb04e0ca122085e9b0f5e3cb13be5704c1c4314d3302c3732d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

MD5 48c80c7c28b5b00a8b4ff94a22b72fe3
SHA1 d57303c2ad2fd5cedc5cb20f264a6965a7819cee
SHA256 6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356
SHA512 c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

MD5 f85e85276ba5f87111add53684ec3fcb
SHA1 ecaf9aa3c5dd50eca0b83f1fb9effad801336441
SHA256 4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432
SHA512 1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fe2a36201435d30a61aa3cf51dbc83ab
SHA1 97e4269d88040823396bb9d7e5b2a3faba2cf76f
SHA256 e1651116357c86f2522f02eb6036ff2db3b0175f44c61459a7efc656e12b4870
SHA512 00c66d50b48866af4c23e70f52555b4867e3055e7c1e578ffe77377a4d771b0aa611c7f7214b3ca7eb9399af512ef19103f7d0718110b3ea53b44cbe4c7242f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587932.TMP

MD5 211596234272c1b26f2f81719edce769
SHA1 4cd17c471d14e385c0ff69fb441bb1b989cadfee
SHA256 97cada783a43bf9740903669a05e4ce8d89541f2b5c2805d31cbd88fdf9abaed
SHA512 26e26d0f14790817016dbe020faa2cd323819eeabc87b4d4482fe1a32d07df7b0bb2048d75a7d6128c1528ed9cf025dd88eb7c6e75d38ac639f136d84c0994f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 a243b342fd6393d5fa73d3e8436cc42b
SHA1 86bd92aa851e282da1b9f1a8a673692ba93d1e87
SHA256 1040c9aac5dcf3e5ba92f6fdc0319fe23d5d9fe904e91b6b4f7c749c9d458598
SHA512 8e6ca54289e65cc6b70733c85f584e486a704ba1da009d9ebc423a82db23d54896a3d62c6715e845b9dbd168ff12dd065646aa17cfb8672627ef2f4b94065bd5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e39f2549754f6707a4574cedbd434ef1
SHA1 468690ddc0fad7236bbb315106584e7928b91dbd
SHA256 08052621e343e6b2d6cf56103212d0577482ac76e39a3d8cbd51e5755a7e2d72
SHA512 dd78f892189166ecffa44df1f910bda86e4b29222d574973877cd431efed9e4d014bcab17d6067968e2ec1f6378012e3e86195b2babe84027bd5550fd4e4f7dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 455ad54ed12b135f77ff2c6952a8af78
SHA1 2e465c77b6a02d6bb0b4b2eab638a636888fbfe6
SHA256 b9d45b3c35f8ee6df3787b4a925bcc32111734b896cc92cf06507b3a390081af
SHA512 55534194270ebdd0f0a4402075bc300039ab6838e0708df86c84282d0c6ead9c14081b2dd534719b56bf0c388c5954862b32afc735c45c21abd5039666c7a661

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58871d.TMP

MD5 0cd00e4e93f54e6e1aa7c13cc09faba4
SHA1 47918088dfdd6ce4e68ddfb8c575ed26fd1f34c9
SHA256 90192ded72787262673e42e7fdca178de3da17a44c953c067a969e95b3eff214
SHA512 f242d418ae9e1b8a0d8905c506e1bfaff2875be369b76bd7bd36ff81092c76d1c787603d9771a963e525497ae6c5092bf764d85e02580402eb20c0fdec79f4aa

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

MD5 5d061b791a1d025de117a04d1a88f391
SHA1 22bf0eac711cb8a1748a6f68b30e0b9e50ea3d69
SHA256 4b285731dab9dd9e7e3b0c694653a6a74bccc16fe34c96d0516bf8960b5689bc
SHA512 1ff46597d3f01cd28aa8539f2bc2871746485de11f5d7995c90014e0b0ad647fb402a54f835db9a90f29c3446171a6870c24f44fb8bbb1f85b88e3ade9e0360e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

MD5 3c6a1faaa3b579187ebb77bdc91821b2
SHA1 4015de1744527eef714b16d38b7c16e34c4fd087
SHA256 95225e9444eae70ba4edac4dc12b6cabf2140514ec7635d4dfaa5275fd846e3f
SHA512 2576c990f647d752637266bd749668bc764c7e3d2a8ebbcc5062455a027c01876e39f18475bdaba01b2ff71b1ef4a5338d94116b33cd93e719c227bddbc5d5bb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

MD5 a4159ee738530dc3a6d4759cd809e1d7
SHA1 f47fee5a1eb016c2850f857840f606be76abb93d
SHA256 3160ff5b0dd54a898b490f2e230051e5ac5b1a09e905608857879583b8d8bf8f
SHA512 8cfb1014b51f6bf4bd47fb92919d68b7e517df377e7876d24bb361c70c02b026a0e2b2ca983dc0289dae183962e1435f91aa9f6ca77e875abb33ed8861c3b438

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

MD5 f04c777cf0d23cba40253a84835f661d
SHA1 4aeda3a2af283d717b72a158f56c7759aa6fb730
SHA256 5f373a391e65df568424bdd62b1b6eae88200569f26a0c7869ec5226e03f7564
SHA512 9c2fa3579333455e925873b521205e8a1bbdb5599478609a8c96f42fda89637af7dd7fd5bf9e29dc39076b315f04c952c57ece65f9e1205e804fcb7076ff6500

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

MD5 01dc202e082a44143beb46ec377f99a9
SHA1 741c417b8b67418d357a3b853c8a9b14f2fe7498
SHA256 5a73718ee72f4f9b4150af205a6a6cfdeb5e8c5e920066b342029b497e8a463b
SHA512 c1619e2d3d074ec50d50c4356cd98f8fc00dd1c3511a186b4133a1b97d54b1d36dd4570c93506c017b64aeed007c2e792f5f8793cc00537b2ee84e5fe0882a24

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

MD5 fdca3a0204ef9926886c8885211cca29
SHA1 269b99f3ca8f8411d255c01cbb68ff4946b8c74e
SHA256 396d6ff76943706d33cb1675d2af52bd6cb6c29c149a1c4361c6fbda6537bfb0
SHA512 2acd9c106611b4f15d0fb1f71c4c2cc5d72d85cca9005a60adb34d393a85a259fdc02c00db907c4902430aa14254a83697e1b649d47371a57316a82b1f3e4e80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

MD5 08d22b7b5d3d16b28250c2c845ccfca3
SHA1 4093b14efdcb04208a0b9630bcf258813f087ff0
SHA256 aa09076eac69e0ff314523e731b03c77790a9b87dccda6ab406913fb2b56f374
SHA512 747c131ec0378273c77895258ad21218069d2cc1328773a3c0c707d9f2bc64647338f453c518a7cb129e3d4fce9fd64105383dade0b98c0131222f9b41b9e666

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

MD5 c5f3e3eb6f23b67b0edada18156c487f
SHA1 a63aa98f3396b08eea066ebd9bf102cf2253602b
SHA256 0519e8dfe9cd403182050c3d30d063ce0deeee7135fcd3911bd7a3a39a78468a
SHA512 b161c18061a5f374c169e7c84ba2b3b9139ab693274e4cc780df36789220a4dac9e27b1f415a137bd59ac97538e72ddb37f66ab766aaf71c4cce033255244fb5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

MD5 7f8a4f124f314e0f1a6d26a2ad2606f9
SHA1 b10bfb19db2d40eb4ac17735c385493e7dd04c48
SHA256 7bb5dd5ba2a9a34556880c1a064625644803bc44e86914e0185ba6004e917676
SHA512 217479bdba2eff0c329faba1f3c90cb287a716d50c1270617231efd40fc554ff9867875582222dbe0120d0f0325730fa4e43ba76683faea1cb8868e10e0f13f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

MD5 e66db295f52d6e8c7df84a33eb14366f
SHA1 6b15e68d92144eb3079e36d2e7aef7d633894051
SHA256 e6332d9f0159c5582c9556b0895a3d75c56fb9ae48f51c422a74e4c364e61399
SHA512 3aec69bd2c144347055d7ff5a3caaac1485b2d15484932da455f7a616869afe5a4ec6aa4c2df5b28e75b93659b8fcddf0ebd4b1e70389fb1efe5bef24f4680a1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005e

MD5 b0019805fa8599b0581c8a5d634835e3
SHA1 3c001c854081475674f1420d912c61ab4c12abd0
SHA256 a2206425ee994728219bd4799209a52cb3e01a04db45f85d2de87537134ad31a
SHA512 463fa37e83885a628d5c3f4194038ccd86bd9fbac913cde2e0eb5a071be38e83a96141de8b7a4bf6b93f6e7da357c0c4af197b25ed2fb0ce240f9b333e2e160e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1231149a881db0898610d8de9df94efa
SHA1 f76b22df07b876b0680a867d8f5344f5e2994a76
SHA256 7f2b2541b89d2605594a03b43deed4fd2d28c3e62a61fd29e4b8c25be08d170a
SHA512 6d912f8f3f538e37ba6370583010313370911d9256bda3ccccf719c68df8e621aef791e5ea9489e7cdb8557e323fced83c5c71e381ed96eda68254ecaffd689c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0e06c7942782e4be013457e7593e8818
SHA1 c27740b2c72f44b6e398123efdb0c41b5f6cf259
SHA256 a1d2b1eb51d5f809a1d6e15c3bb6cdecccc6a912106040943ec7631b27c354f5
SHA512 e290a6ef51cf1679f3e8f8d2e5a210edcf474321b1c671c14c61f24f688ec7fabd33c129dccc79e04f8645a56e9f3552fd1ca0d5da318eb62d1e7ac1b98f6c8a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 93f1c125e8b1c016c3009e074ee5f9a7
SHA1 080eeb1aa2e543ba601cffd16c2659c4e3a8d586
SHA256 ad30374b000839deec76125d549201be40801e4e0f47750111b209ff85b5aa69
SHA512 e64fa2a04b54941e283537c935a5eb7ed0cbd2a4e41df9af794c1f9b975382b5052d8de6f80e1fa3caa217d8891ba1bf3ffe258cd8a6a4588625ae57e19397c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a1bc5bc4fe42353a85a43f61240a1570
SHA1 cb6550af5c9081758b7078c645a0f77defbcdb5c
SHA256 f0cad979aa43c697d633fbaeb90d1755cea07e64bed1e1922ce45b8c774b99f5
SHA512 eb7a4b44b0cd9b8a3d1eef423374e566c625585ecbe2d51f7eb11c29feb1975c2fe7d5a63c41a0384b10de705a12ef04c3bf5ec3190fcd9bb224139b97beb6b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 560a5a728f1cca866d1f9c5ba8fd17bb
SHA1 a47688ca8f1e6791688bb66d209f419b2133de1f
SHA256 8c6b52f8d1fb68a77e3ce326fc91892aee156d0e316a134ed5fb3b51ab79d9c2
SHA512 273e240299afb44772c2dc41920d7ab35d6fcde298ed30b2af6a7503e94d829e62b56287da89545ddaa74aa6d1d3a6ffced6a3517f276193c5a39c4b2816d90c