Malware Analysis Report

2024-11-30 02:48

Sample ID 240407-wl52zsag66
Target 4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e
SHA256 4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e
Tags
amadey risepro evasion persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e

Threat Level: Known bad

The file 4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e was found to be: Known bad.

Malicious Activity Summary

amadey risepro evasion persistence spyware stealer themida trojan

RisePro

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Themida packer

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20c9702acf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\20c9702acf.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569865286870433" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2364 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2364 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2120 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3148 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4016 wrote to memory of 456 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4016 wrote to memory of 456 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4016 wrote to memory of 2168 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2168 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe
PID 2120 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe
PID 2120 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2120 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2120 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2120 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2120 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2120 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe
PID 2120 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe
PID 2120 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe
PID 1212 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1212 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 5084 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5036 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe

"C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb364d9758,0x7ffb364d9768,0x7ffb364d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\999976163400_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 --field-trial-handle=1932,i,1739397254277445235,2390187610012524098,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 www.youtube.com udp
DE 172.217.16.206:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
DE 142.250.185.78:443 consent.youtube.com tcp
US 8.8.8.8:53 131.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 42.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
US 8.8.8.8:53 170.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 196.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
DE 142.250.185.78:443 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
DE 142.250.185.206:443 play.google.com tcp
DE 142.250.185.206:443 play.google.com udp
US 8.8.8.8:53 206.185.250.142.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 consent.youtube.com udp
DE 142.250.185.78:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp

Files

memory/2364-0-0x0000000000CC0000-0x000000000117E000-memory.dmp

memory/2364-1-0x0000000077054000-0x0000000077056000-memory.dmp

memory/2364-2-0x0000000000CC0000-0x000000000117E000-memory.dmp

memory/2364-3-0x0000000005070000-0x0000000005071000-memory.dmp

memory/2364-4-0x0000000005060000-0x0000000005061000-memory.dmp

memory/2364-5-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/2364-6-0x0000000005030000-0x0000000005031000-memory.dmp

memory/2364-7-0x0000000005050000-0x0000000005051000-memory.dmp

memory/2364-8-0x0000000005040000-0x0000000005041000-memory.dmp

memory/2364-9-0x0000000005090000-0x0000000005091000-memory.dmp

memory/2364-10-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/2364-11-0x00000000050B0000-0x00000000050B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 9758364540ca14712115007f871cc070
SHA1 c01e073f48e338017df6eb1a1d8a37ad57359708
SHA256 4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e
SHA512 1dde54c9fc5645249e8d2833e6125c6babed299e32eed173d96e665218bd81f936a94bd391a1ae55ea2aef8905206d927f95617f51ab48d2a8fae8c64e753c07

memory/2364-23-0x0000000000CC0000-0x000000000117E000-memory.dmp

memory/2120-24-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2120-27-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/2120-25-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2120-26-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/2120-28-0x00000000054B0000-0x00000000054B1000-memory.dmp

memory/2120-29-0x0000000005500000-0x0000000005501000-memory.dmp

memory/2120-30-0x0000000005490000-0x0000000005491000-memory.dmp

memory/2120-31-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/2120-32-0x0000000005530000-0x0000000005531000-memory.dmp

memory/2120-33-0x0000000005520000-0x0000000005521000-memory.dmp

memory/2120-34-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyltpus1.q4e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-55-0x000001843C070000-0x000001843C092000-memory.dmp

memory/2168-56-0x00007FFB34640000-0x00007FFB35101000-memory.dmp

memory/2168-57-0x000001843C150000-0x000001843C160000-memory.dmp

memory/2120-58-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2168-59-0x000001843C150000-0x000001843C160000-memory.dmp

memory/2168-60-0x000001843C0E0000-0x000001843C0F2000-memory.dmp

memory/2168-61-0x0000018423F40000-0x0000018423F4A000-memory.dmp

memory/2168-67-0x00007FFB34640000-0x00007FFB35101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042001\20c9702acf.exe

MD5 a146c87cb0c1e72a3f58693a3c62664a
SHA1 d5c3b55a00cbbf12bde85e25a5593f7bec9a139d
SHA256 9643e5da6e6ff6f5ab0d2354b182172dbe991c489b2b7e16dafbc7730ee6b4ea
SHA512 aa532c677bd85e52d262f8542dd7d8a1022e6a45d021848ed8ea8ccfab82eb043f19f2b71d15fadd1ea965e36de76e70c316a6a8e3102c776b03f31b890d8f48

memory/4972-86-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/2120-87-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/4972-88-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-89-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-90-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-91-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-92-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-93-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-94-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/4972-95-0x00000000009D0000-0x0000000001173000-memory.dmp

memory/2120-99-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3020-100-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3020-101-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3020-107-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3020-106-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/3020-105-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/3020-104-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/3020-103-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/3020-102-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/3020-108-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

MD5 cfc06aba2d122bbcdecc230879fcb37e
SHA1 7e65e4b1011b9ba560aaf82db3d4c754cfabb2b9
SHA256 a2ce78b94891c8c75e9f355c9d098ed8008f2b8f86e1e2d76994d5cc044c60ba
SHA512 baf6b8f406aaaf5f7eb29c0138101db676143d7bcb5c036fa6750655090b54669a7b609356478c3e60099c0abd2afc053ea2f68285cbfcb4bb0ccdb922c8f53a

memory/4548-124-0x0000000000B20000-0x0000000000FD5000-memory.dmp

memory/3020-125-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/4548-136-0x0000000000B20000-0x0000000000FD5000-memory.dmp

memory/4548-138-0x0000000005500000-0x0000000005501000-memory.dmp

memory/4548-137-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/4548-140-0x0000000005520000-0x0000000005521000-memory.dmp

memory/4548-139-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/4548-142-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/4548-141-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/4548-144-0x0000000005550000-0x0000000005551000-memory.dmp

memory/4548-145-0x0000000005540000-0x0000000005541000-memory.dmp

memory/4548-149-0x0000000000B20000-0x0000000000FD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000051001\9e92fb2da1.exe

MD5 c2e994b67ef96309aacf378b52ae130e
SHA1 43fb63991d1ad12416ebab0e57c1fa44daf525a3
SHA256 b021a2ea3240f81c2d6164967e668135f5de22bbbf8372918addbb8c2b4e6bc7
SHA512 5b14110e2fd961fbb0ad75af8c5e0e7dd4cedb2e1a18c0b2bba68164922ba714a4121cfc114ba4c1b66a858b7aa60ec1fd05bea19b01314e278ba75634067b2f

\??\pipe\crashpad_5036_MBBPRRBWXCRBGXRF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4972-177-0x00000000009D0000-0x0000000001173000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

memory/2120-207-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b5a7ed49819a5ed1fa5479a647498165
SHA1 79712990528e37b32cc8c41c9b11bb28f2333ede
SHA256 1e40d6d87684c41371868f0a82c5808827dd03078ba722aa6e6e9298baccc39b
SHA512 1ee0183b4b6d6961b2c1383ac510a06f48c630b9f7ba6450b3cdaba2f5f45447c03a8b27554f7ddc7f7d4838cf350d74a91a26903374e2295f02a130cf71e910

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6bfa88dab4b11104fa173af7f0958503
SHA1 777cf282a32197efc30169fb49f2f1bbfd4e84cf
SHA256 041ff1f48c7ddaace1a5c0ef278d5041196a8a0d81e97fdd874027fb05e636c8
SHA512 a8b351510034d768963bd0b079e680b1b1e5b9f8d60cbf1d2b9826cce47748b1c448a839e35f1357f4ac93c7ebc14d9f88d7f8552d0c66ce992d0f7e106b44ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7d2dfefe4428fa16d6e53e36a8f3d96a
SHA1 edd99e9cc96362e6bfec238ab9e89dada5866744
SHA256 0999b37d4c285fe28b609525509cf5de65200b8ed4e360710324545a46b0d511
SHA512 91fd111ece538b160244ea29a354d733f0d0cbc0ddd4625b93a893de944ed2b959168c188bb91af20b6c28fc6c4a36e5774859d7f7085a3c5d89ec795803adb7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ce97c50dde3c80dcb82134c4a23e3a41
SHA1 baedebf0032a174507152edef98d7e64d5970e06
SHA256 d2b720e0664df4dd48e40343db93142ade1191b88685041caa56bdb2b49a7ecd
SHA512 c9eac4f90118df7196292bef2a3d915442f962ca3c237a4054570f5091758d215986507ec454eff33b745b86ef50135947f4d80e9abd9386c7897be097220e55

memory/2120-233-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7ee800d54280acaffc0526e7c017f39e
SHA1 92518ae9c0f6a82d36fd960428ec445c5c24802e
SHA256 6aaf3417a3b6dced785f518cb4c16c13f29994de9256f729dde7fd63a5d4dac1
SHA512 3d169b8ecd9d97515e79df56ad88d75bb4b612e0c8389f44b2d9d8964480cb12e284c1a0eab1fce785e27dc7112f89992e6e4657263459b2babf11fc74bc5625

memory/2120-240-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2120-242-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2120-253-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-258-0x0000000000CA0000-0x0000000001155000-memory.dmp

memory/2120-256-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3664-260-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3664-262-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/3664-261-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/3664-263-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/3664-264-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/3664-266-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/3664-265-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/3664-267-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/2556-269-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2556-270-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2556-271-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2556-268-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/3664-276-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2120-281-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-282-0x0000000000CA0000-0x0000000001155000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74cd4674166ac8f1bea0a81b6bb8eabc
SHA1 0e7e9faee65e22e86a0f47664f3489c12e710d90
SHA256 430d083ba64e6ecf668e892360b5a4a3423ff492e84f01f14aa69957de2e1e44
SHA512 ce07207402aefa1503da21c5cc29e55f777abd5a04b2b41061c6d6a37da7ec3a2df0388c7481bf0c71e4f656cb703ca19c6ecde9cbe5ae21d2948321ee7d7391

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ed4984cd7aa01bce136303080ca5e6e4
SHA1 98bb159c47918943c22b6566ccb82aa7cdfe9154
SHA256 28f7365af92795e303cce5bf8915fcc72d53126bb8f40c74b9a438e625452748
SHA512 4702d9f4b707a72cbb326757de4f01e4aaeb22ae777977d55c6323c73e91abd8e1d0f0c65b7bd1395012e7d679c82b6c23b4d6d3bb3c3f33f9d0bf877330f738

memory/2120-333-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-335-0x0000000000CA0000-0x0000000001155000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/2120-348-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-349-0x0000000000CA0000-0x0000000001155000-memory.dmp

memory/2120-351-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-352-0x0000000000CA0000-0x0000000001155000-memory.dmp

memory/2120-354-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-355-0x0000000000CA0000-0x0000000001155000-memory.dmp

memory/2120-357-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

memory/2556-359-0x0000000000CA0000-0x0000000001155000-memory.dmp

memory/1188-369-0x0000000000AF0000-0x0000000000FAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win11-20240221-en

Max time kernel

156s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a829fce24.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\0a829fce24.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569865505603791" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1528 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 1528 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4824 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe
PID 4824 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe
PID 4824 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe
PID 4824 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4824 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4824 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 4824 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 4824 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 4824 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 4824 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3808 wrote to memory of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3808 wrote to memory of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2008 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4824 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe
PID 4824 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe
PID 4824 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe
PID 3812 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3812 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 4508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 4508 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2008 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4692 wrote to memory of 1604 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe

"C:\Users\Admin\AppData\Local\Temp\4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffec0699758,0x7ffec0699768,0x7ffec0699778

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3672 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1748,i,14723141396528503893,9389236263513749843,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 www.youtube.com udp
DE 172.217.16.206:443 www.youtube.com tcp
DE 142.250.185.78:443 consent.youtube.com tcp
US 8.8.8.8:53 78.185.250.142.in-addr.arpa udp
DE 172.217.16.196:443 www.google.com tcp
RU 193.233.132.56:80 193.233.132.56 tcp
DE 216.58.206.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
DE 142.250.185.78:443 consent.youtube.com udp
DE 142.250.185.206:443 play.google.com tcp
DE 142.250.185.206:443 play.google.com udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 142.250.185.78:443 consent.youtube.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp

Files

memory/1528-0-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/1528-1-0x0000000077A06000-0x0000000077A08000-memory.dmp

memory/1528-2-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/1528-3-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

memory/1528-4-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/1528-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/1528-6-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/1528-7-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/1528-8-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/1528-9-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/1528-10-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/1528-12-0x0000000000680000-0x0000000000B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 9758364540ca14712115007f871cc070
SHA1 c01e073f48e338017df6eb1a1d8a37ad57359708
SHA256 4b9f0839c319c2534bc4cf51c8b4f263faa434d00280bc8a0a629b027414003e
SHA512 1dde54c9fc5645249e8d2833e6125c6babed299e32eed173d96e665218bd81f936a94bd391a1ae55ea2aef8905206d927f95617f51ab48d2a8fae8c64e753c07

memory/1528-23-0x0000000000680000-0x0000000000B3E000-memory.dmp

memory/4824-24-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4824-25-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4824-26-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/4824-27-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/4824-28-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/4824-29-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/4824-31-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/4824-30-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/4824-32-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/4824-33-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/4824-34-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/752-36-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/752-37-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/752-38-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/752-39-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/752-40-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/752-41-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/752-42-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/752-43-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/752-44-0x0000000000320000-0x00000000007DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042001\0a829fce24.exe

MD5 a146c87cb0c1e72a3f58693a3c62664a
SHA1 d5c3b55a00cbbf12bde85e25a5593f7bec9a139d
SHA256 9643e5da6e6ff6f5ab0d2354b182172dbe991c489b2b7e16dafbc7730ee6b4ea
SHA512 aa532c677bd85e52d262f8542dd7d8a1022e6a45d021848ed8ea8ccfab82eb043f19f2b71d15fadd1ea965e36de76e70c316a6a8e3102c776b03f31b890d8f48

memory/4824-63-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4912-66-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-64-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-65-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-67-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-68-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-69-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-70-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-71-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/4912-74-0x0000000000140000-0x00000000008E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

MD5 cfc06aba2d122bbcdecc230879fcb37e
SHA1 7e65e4b1011b9ba560aaf82db3d4c754cfabb2b9
SHA256 a2ce78b94891c8c75e9f355c9d098ed8008f2b8f86e1e2d76994d5cc044c60ba
SHA512 baf6b8f406aaaf5f7eb29c0138101db676143d7bcb5c036fa6750655090b54669a7b609356478c3e60099c0abd2afc053ea2f68285cbfcb4bb0ccdb922c8f53a

memory/4824-90-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/2068-91-0x0000000000DD0000-0x0000000001285000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

memory/4824-102-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/2068-105-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/2068-104-0x0000000000DD0000-0x0000000001285000-memory.dmp

memory/2068-106-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/2068-107-0x0000000005500000-0x0000000005501000-memory.dmp

memory/2068-108-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/2068-109-0x00000000054B0000-0x00000000054B1000-memory.dmp

memory/2068-110-0x00000000054E0000-0x00000000054E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000051001\e1675adc2a.exe

MD5 c2e994b67ef96309aacf378b52ae130e
SHA1 43fb63991d1ad12416ebab0e57c1fa44daf525a3
SHA256 b021a2ea3240f81c2d6164967e668135f5de22bbbf8372918addbb8c2b4e6bc7
SHA512 5b14110e2fd961fbb0ad75af8c5e0e7dd4cedb2e1a18c0b2bba68164922ba714a4121cfc114ba4c1b66a858b7aa60ec1fd05bea19b01314e278ba75634067b2f

memory/4824-121-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/2068-128-0x0000000005520000-0x0000000005521000-memory.dmp

memory/4912-131-0x0000000000140000-0x00000000008E3000-memory.dmp

memory/2068-132-0x0000000005510000-0x0000000005511000-memory.dmp

memory/2068-137-0x0000000000DD0000-0x0000000001285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yl4boz3y.0o5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3300-139-0x00007FFEBF5F0000-0x00007FFEC00B2000-memory.dmp

memory/3300-149-0x00000175582A0000-0x00000175582B0000-memory.dmp

memory/3300-148-0x00000175582B0000-0x00000175582D2000-memory.dmp

memory/3300-150-0x00000175582A0000-0x00000175582B0000-memory.dmp

\??\pipe\crashpad_4692_QGGYUARVGSYBPHEA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3300-161-0x0000017558340000-0x0000017558352000-memory.dmp

memory/3300-162-0x0000017558320000-0x000001755832A000-memory.dmp

memory/3300-177-0x00007FFEBF5F0000-0x00007FFEC00B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/4824-200-0x0000000000320000-0x00000000007DE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ee5a0e2d26c3156e5934a89be4d797b1
SHA1 1c9cf3a71ea256b1833e75b700cae4f58eda9938
SHA256 825b043e97023a39cb5e0dac3858b5ff663b1a45afa7afdd0aeb6510188afc9d
SHA512 e792ab712f4014557fc8023c79303093b745df0ea45e0e8ccac1c187cdcbb64da2ecfffe95abca4071dc4ac797402361962537025fd26feb4f21d70fad27641c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 afd7877d446b3a2cba951fbe29019fad
SHA1 fe08aa0351a950dfe7b9953231969a0a68e6154d
SHA256 e92f50540b7cd3f601b6fc479a09aa0e2602570735746deeeae07df5296a6030
SHA512 737ecf0f477456a59376668d0cf2e37567e51596d0f6511da2f89adee6e113e213144ab6c46728df671127d7accc132c35aacd5737ac20f8083184d458f667e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b9401b7f0a89ab03c3fb3f1fc72accf0
SHA1 165621744de946805fce3a0ef9f28671bb195653
SHA256 3e8fcbf8146086b8c5c526c4187eafc0d21369c15157a0b7671c44697d8f2ca2
SHA512 b683b6ecfcd74206396f9e9607199b36d1332e866a0b10d89b6681583b98d60e61cf2dd585e60e73d026a84882bb96f43edf0c7cd681263e9c7b8650c648db95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fe82ca154694de61494bb3679f706b6a
SHA1 a63f8cc786db653542eed9e35164641ecc95b182
SHA256 be2159dfd3bb1dad8e5ff4cfa061427eb37fc26d8ae0a64fc46036c09853fef6
SHA512 ff4a64e8be8f08722b701fc48db4b1a59d2c52533e35454b11bfc489b97ad48b931dd486df66feea00de62540765744c9ee7ac38415ab12afcc5385cee93d5b5

memory/4824-229-0x0000000000320000-0x00000000007DE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 909554e9ced70cc3e40ba8ca5015706b
SHA1 abd97f19952a773a40bea575ea9edaf71efdb800
SHA256 243dc0c60ea8cbb20de49f81d586852f023bf6fcf8181aa357cf836a2f6521c2
SHA512 203e49798fd6723a48d5f9035e634e7fa1d8efb7d1f38a9145144db46d19041613c51195c7773a20fe7616d9c9e208e538deaa3a4298a0bba7dd1b7ca1d8d7a2

memory/4824-240-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4824-244-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-245-0x0000000000FD0000-0x0000000001485000-memory.dmp

memory/1464-247-0x0000000000FD0000-0x0000000001485000-memory.dmp

memory/1464-248-0x0000000005970000-0x0000000005971000-memory.dmp

memory/1464-249-0x0000000005980000-0x0000000005981000-memory.dmp

memory/1464-250-0x0000000005960000-0x0000000005961000-memory.dmp

memory/1464-251-0x00000000059A0000-0x00000000059A1000-memory.dmp

memory/1464-254-0x0000000005950000-0x0000000005951000-memory.dmp

memory/1464-253-0x0000000005940000-0x0000000005941000-memory.dmp

memory/2376-255-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-256-0x00000000059D0000-0x00000000059D1000-memory.dmp

memory/1464-257-0x00000000059C0000-0x00000000059C1000-memory.dmp

memory/2376-258-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/2376-259-0x0000000005160000-0x0000000005161000-memory.dmp

memory/2376-260-0x0000000005170000-0x0000000005171000-memory.dmp

memory/2376-266-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4824-276-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-278-0x0000000000FD0000-0x0000000001485000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ae626d9a72417b14570daa8fcd5d34a4
SHA1 c103ebaf4d760df722d620df87e6f07c0486439f
SHA256 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512 a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1ca0032e53df57864eca5c293d705d0d
SHA1 faf09dad6654035c51e5f0e373cb280cf97fde34
SHA256 661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17
SHA512 a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437

memory/4824-313-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-314-0x0000000000FD0000-0x0000000001485000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/4824-328-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-329-0x0000000000FD0000-0x0000000001485000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 91581f9191ea8919ed58066654b4dc51
SHA1 67410417f8fc50acb6bf0554fc528a766df09ae8
SHA256 4838d202e71779f42c32dc169e5e549e769a0a70734fece545344528d2f3296f
SHA512 68958c404b43947d93931812ddf7c84916e6a730fed9033ee11cac713860892b6d7cc1a7fcdedfa8e56b6a64e92451b5053fd9d05cc4f2a4aabd02beb277d162

memory/4824-345-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-346-0x0000000000FD0000-0x0000000001485000-memory.dmp

memory/4824-348-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-349-0x0000000000FD0000-0x0000000001485000-memory.dmp

memory/4824-351-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-352-0x0000000000FD0000-0x0000000001485000-memory.dmp

memory/2848-362-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/4824-363-0x0000000000320000-0x00000000007DE000-memory.dmp

memory/1464-365-0x0000000000FD0000-0x0000000001485000-memory.dmp