Malware Analysis Report

2024-11-13 13:53

Sample ID 240912-evq6ra1cjd
Target https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about
Tags
rhadamanthys xmrig discovery evasion execution miner persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about was found to be: Known bad.

Malicious Activity Summary

rhadamanthys xmrig discovery evasion execution miner persistence stealer

Rhadamanthys

xmrig

Suspicious use of NtCreateUserProcessOtherParentProcess

XMRig Miner payload

Creates new service(s)

Drops file in Drivers directory

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Power Settings

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-12 04:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-12 04:15

Reported

2024-09-12 04:19

Platform

win10v2004-20240802-en

Max time kernel

170s

Max time network

176s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4172 created 2928 N/A C:\Users\Admin\AppData\Local\Temp\w.exe C:\Windows\system32\sihost.exe
PID 1416 created 2928 N/A C:\Users\Admin\AppData\Local\Temp\w.exe C:\Windows\system32\sihost.exe

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\PcHealthTool\HealthTool.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\www.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\www.exe N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\www.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\www.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\PcHealthTool\HealthTool.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 516 set thread context of 2604 N/A C:\ProgramData\PcHealthTool\HealthTool.exe C:\Windows\system32\conhost.exe
PID 516 set thread context of 4400 N/A C:\ProgramData\PcHealthTool\HealthTool.exe C:\Windows\explorer.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\w.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705881803465902" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{36ABB549-0FAC-488D-ACCD-38BBEC37ED9B} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\w.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\SysWOW64\openwith.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ww.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ww.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\www.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\ProgramData\PcHealthTool\HealthTool.exe N/A
N/A N/A C:\ProgramData\PcHealthTool\HealthTool.exe N/A
N/A N/A C:\ProgramData\PcHealthTool\HealthTool.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 3884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 3884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 2848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 1232 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4428 wrote to memory of 4616 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85f4bcc40,0x7ff85f4bcc4c,0x7ff85f4bcc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2036 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2480 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2596 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4344,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4668 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4868,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4668,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4a8 0x34c

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5536,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5432 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe"

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /tn WmiPrvSES /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe" /sc minute /mo 1 /f

C:\Users\Admin\AppData\Local\Temp\www.exe

C:\Users\Admin\AppData\Local\Temp\www.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "PcHealthTool"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "PcHealthTool"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\PcHealthTool\HealthTool.exe

C:\ProgramData\PcHealthTool\HealthTool.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4796,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe

"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe

"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Users\Admin\AppData\Local\Temp\www.exe

C:\Users\Admin\AppData\Local\Temp\www.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "PcHealthTool"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"

C:\ProgramData\PcHealthTool\HealthTool.exe

C:\ProgramData\PcHealthTool\HealthTool.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe

"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\w.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Users\Admin\AppData\Local\Temp\ww.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.179.238:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 consent.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.179.246:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 246.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr3---sn-hgn7rn7k.googlevideo.com udp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 yt3.googleusercontent.com udp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
GB 142.250.178.4:443 www.google.com udp
GB 216.58.201.97:443 yt3.googleusercontent.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.130.217.172.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.179.238:443 youtube.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.200.42:443 jnn-pa.googleapis.com udp
GB 142.250.179.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 230.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 172.217.169.78:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 rgcatalyst.biz udp
US 104.21.68.214:443 rgcatalyst.biz tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 uca960a0834dd68d329e35e41b3c.dl.dropboxusercontent.com udp
GB 162.125.64.15:443 uca960a0834dd68d329e35e41b3c.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 214.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.3:443 beacons.gcp.gvt2.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 e2c37.gcp.gvt2.com udp
ID 35.219.111.231:443 e2c37.gcp.gvt2.com tcp
ID 35.219.111.231:443 e2c37.gcp.gvt2.com tcp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 231.111.219.35.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons.gvt2.com udp
GB 172.217.169.35:443 beacons.gvt2.com tcp
US 8.8.8.8:53 e2c13.gcp.gvt2.com udp
FI 35.228.141.16:443 e2c13.gcp.gvt2.com tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 16.141.228.35.in-addr.arpa udp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 8.8.8.8:53 beacons2.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com udp
IN 142.250.183.99:443 beacons2.gvt2.com tcp
IN 142.250.183.99:443 beacons2.gvt2.com tcp
US 8.8.8.8:53 116.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 99.183.250.142.in-addr.arpa udp

Files

\??\pipe\crashpad_4428_AJHPLAUJAVNRKTTB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9ae9547ecd5b845f87dba1bd6b486019
SHA1 1670638dcb650afde4247deb11791ca4063c3c00
SHA256 e64c90e4b18dee1f78fac8d4a20dc156298e555c50f83c6a0ddb90f9bb2f6482
SHA512 ed00027487d78867df9712771d9a490420c8b3196c7dff609a4a9a9460bb9df9d95474be7dd0eb2386cd9a5a2d57f5d58fa4cc466abb69234ea8e7601b2a2582

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6be79b9e0c69e249a2b09d321f85abc9
SHA1 6f9d17c715de86a79a3c1062357d6cd32f1829de
SHA256 23ef15932355599cc85e12322eb5472ecf55048d478350027a8266242dfd649b
SHA512 032b7a91347c34216445c515e1b58a8498884af646844b1649f9ad4be52d52a5234994a6ea13d2840e5e27dbf73465d61deb993370a1a8520b8ec50291239290

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5798a6.TMP

MD5 a30bc8b0418a2f0e7fcaa05d8719f5f0
SHA1 f31c5ae9d5bf04ee62fa256cb90e3fa12b01376d
SHA256 2be875f77de3e109c334c01fb3bac1cb08906e5117dff082ffbb35bf3932ef7b
SHA512 18b53c5200eee1519d923c99b0514ff1d5cbca492c20b594641514bf1e934c502a525db5aafd92ed0c63cf392d5c7cb18b86607b79364e65b86608ff1e7fce1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a2f5bfbf97286861315cbf2a53b1e05f
SHA1 88b84b4c36274e481d9cfc1cad4d1e9d2828cac3
SHA256 5045db128724dcdb80d26821262ebcf6c8f4561bf79e03f7c3e2a9f0aa9cd4c1
SHA512 ad40516230f41b483f0baa653c26cb5537a89f5093753a3ec20c8ca3ffbffaec6977b3c008a753f550bef6b88f7c95bc201720bf2e4bcd1403b7c7a0130181d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1470640777\Icons Monochrome\16.png

MD5 1b3a4d1adc56ac66cd8b46c98f33e41b
SHA1 de87dc114f12e1865922f89ebc127966b0b9a1b7
SHA256 0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd
SHA512 ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\0\512.png

MD5 206fd9669027c437a36fbf7d73657db7
SHA1 8dee68de4deac72e86bbb28b8e5a915df3b5f3a5
SHA256 0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18
SHA512 2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\Monochrome\1\512.png

MD5 529a0ad2f85dff6370e98e206ecb6ef9
SHA1 7a4ff97f02962afeca94f1815168f41ba54b0691
SHA256 31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6
SHA512 d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 a3302a31aefa69f1d4a24b4c35079430
SHA1 754dd17bcd590a3f0707337d04150f85c43d4de1
SHA256 2fd373b596795374a230cb1f93752d99fa24d74bf4d6cae07449e7f5d1de1b5e
SHA512 8bbdbb8b9fb31e52642288385bcb77a7dadbe5d191577cfd93e1ac4d6284c006c36ee0d9f21588c32eb4cb0807cdb7830a730847424d9145ea067c9c0a2bf797

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 fcfc1946b985d4304cf069f1154f4cab
SHA1 bd91b22a14d29cb9d5a3d749fc7a35b06e458b0c
SHA256 3aec8142d551f57636d37fd2d8bf08d7149b1439ecdfa59de1f887ed2348f4ab
SHA512 bfbaa47b6d901b1658e73c619bdc5c64663840cbe28e84e2d82042f569db023faeb241c38a623b5572b5d858453c4a878f9835adea57d9df4b95f3624dec6fc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5989903f8f61c9fdc98ac8426fbd7846
SHA1 9a6eb03ebfea9eea8b5abb06a24301d36ec3ff01
SHA256 ec2dbd7ccfd6a0e82a2536cb217746c23d2d993e52a2a268381aefc4b6de03cf
SHA512 d9df09641778f0425ee6ad64af2cbde66342b3b2df8f85a200934f8ac9f4813a80b5fe6ff8f57ee918e60be2c5b0c62860c2dca4cd6bf57c74718f30607c63e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f53ba5266197106e4ba217b1bb4579b4
SHA1 018b507a4b05545146a429d73511bcd757aca3bf
SHA256 d528f5d8bdcec2aee2ff2275289e2e3caf6481549b7dcd82dbea710c96d36b0a
SHA512 6485695ea49995bd86d81a820e980da416842bcfef8c1cba9135920d044560f4d14f8ca2a04ca7c9f86bd613d8627b361e2af97293a179473b1bd86e4f4dc8f0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e27b84a013652d85b7774d969b388417
SHA1 d09626fc677f7c275e1ea7de5804690f6753720b
SHA256 9cde0c8c46bdd910305bd4b190c1b5c6bb58fd2f651f576e58c2dd3731d2c671
SHA512 1c617422048e04ba50eb2df842944894db3e765234a0a64814dc6c3dac162f23fb0dc7fb07608b338aee5c38a0f1ac252d043b37f69e81da24f284c35b04ebbd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 15f36a2987d80adfc97f99013120b0ad
SHA1 9d926bc27c99680ae30c7e0a38892cfba40418c0
SHA256 9b40b9fb043d50f33959ea504c6da6ae74d76da311a1c90dab5447a8db75a0e1
SHA512 72a1d8da5b6754bf9d26e2ddb0c3916a6adf63ce46838fc22ddeed5cb03d4cdca77fb791351343d1917322bbfbf9cc1e1f52b3608369150f5ece151205368670

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 54665873bf5e86df322c00827ccaed29
SHA1 df4d66c6a77551ea2996b5f27aa686923d9eff3b
SHA256 7e76723d6e7aa5f5dec08a1cb2a9f4417bd51a6e8097e44a2cbc44d6301e9af5
SHA512 3afd424a8810b65cc60bd55c6bcb9de64c89eec410b4af70903be8ca68fe710bbc10a38efd5d2e65cd00ac530cd1d90c93b16448ef18458dd574a2123f6d2af6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 f07f922abf7b04a0733791528b2a3fce
SHA1 1a97a7f2ac95f9448623e20c3cdbbc4b23123a53
SHA256 52fcd0e15f4729f5f99dc35d00b0558e288e20dfb14690e59feec3ecfa531918
SHA512 cb67cf7216ad14841e3cd83580d7537abaad1a4454f990a204064bf3effb8404a90271ba9a995656a734c17a22c968cd15363d6124fdd736964dc631d55f8fa2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index~RFe57edfa.TMP

MD5 882d46fb9ffba47b7fe71311db6885b4
SHA1 2df7c77d6ab09ac88cfd6fb9d77fd7f5598d2d5b
SHA256 1e6644717a826f41225f540a1b61aaea6e3e87e370b9eb5fd1094b4eee56e325
SHA512 7712b0aea9aa15c66ed8c4aba8040a41b3097d30e1d0f1c1de0de56f8e5634ee5c8514f67b5b6a8b28636aac8ea0661a840113aad6263fd9cbe3515fc023bf1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index

MD5 cf90f9c4baefa3d240e7f9ccc60baa7e
SHA1 65837957cdd39e0b43eee34d1bd8a5433fe79620
SHA256 7368ab9cc79c54d2309be56c957ec9c8d2e725153ce58c469fadc2101ebb6e3d
SHA512 1a62f67bca579d5824fff13b54a487eca302cec5b5e9afec4901e98ac9540a7731083627845cfe0607205f54c3a87684b8165ecb01c6f09ead2ab7108f4fb5de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f2d4b7e83464ec59b59d6ed9732a3e16
SHA1 e489f54b4f0bca8f33bec935f3f34fda04292517
SHA256 48d540812ca216bce91c2d53acb9b04fa529c1afbd70ec67a48a0571add9f3e1
SHA512 3f329bf5e9e510b4d17ca9c89b67f652e8b210e08974978b46cf12c03f9e4e0ee7ca74d19d5da71c374cf2494abdafef21f5f995695aa66d1df63feb8c51ba55

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index~RFe57f52d.TMP

MD5 98a652c481f2ac1b832d2752cf925781
SHA1 47cf63dbac245a47e784826024c2573abc0b3747
SHA256 56fa5e2e2bad2adb335f2d9e9c66e7f3d61a278b6cd9fe6255fa3ab7eba7c4de
SHA512 2273415585c9cb931ddbabd1d9f838a91ec7fcd4168174550ba71bd783180df519e70e6c3b396a5b566d8ad63185467d0ab097d6e5731430886280171681efc3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index

MD5 99bb35cda90b0763820c48863375ed88
SHA1 d0f9e927debcae670eed668b69ce91377245b810
SHA256 db20177c0f162b0c3c5ba0e32b7c399a8b4d96b0d8b6eccfcaed123ed6cd4c2f
SHA512 4dbde9baf6e33fe4623351a5f8426061fe71399534b21d75b8947c789c349394bb8b507675d494f70bfcf29ef86cc134f5af9a5cff60f20513c5eef39d0cb3f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 51d0c90ad91b3c23391c0b0b240bd86e
SHA1 65e0025950f1ec74a4599ee5bbb2bdc8d2af742a
SHA256 4d3ec5e67a851743f4ffc87838a760cd06e2fb27ca0ce318582cd9f08939207e
SHA512 577a260b7df64fe9dd530aee134054ef994383628112da5a7398f2a2288fbefb8f778d56cbbf16c252b9e5bf613df0d302ed03486cfde1a1aeb6bd3dd6913950

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fbd90223ed4bf8cc1c9f3aef908c4775
SHA1 6ecfd7f6b332bcca71b056171596021d2e4594e9
SHA256 14953feae300efe64959c876e36b08f48f12d46711c63d5c0f042f3006f83536
SHA512 537ddce3d91a69dd0e07097ce4596ae9872e6946e5e39e5bdd4ed4e3c65bb571cf6ccb71f4652052228ba5c5319ddd77021c8bc6449a4a8cf80cf10431e09127

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 83b595eea1f72c7fe0ab4ec08125a52c
SHA1 08c69134ef0264c26ec49943ced7e248ca2548b3
SHA256 144b4b6fab29d7f7d395a50e69f4223caf2dfc9cda582eb81c1c0c54f77148a0
SHA512 afaa894eeb8a9a3fead3c4d7a66fe46a249a7bda7642875e7347f907da4f6290c5522193c9c92316d5323ab757dfc98996231d98995e965a6fea6e0e9df8951d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 35a8158bf1d11a2e84ad34b2ddb8ff1b
SHA1 3ca9f066636fa2d5901e29ebaa2be43543303eb4
SHA256 766b8e1564f2d48980efb863b4f1e68e12e2f69b5773382e069d0a467373b632
SHA512 f6e920329666102cc1df780dc84442f7800d0eb62f4560b4072abd649052c3161ecef7ae355543793a0810e3fc7638abed6503667fa6324298e885293d61eafa

memory/4172-564-0x00000000005A0000-0x0000000000AD8000-memory.dmp

memory/4172-565-0x0000000001020000-0x0000000001021000-memory.dmp

memory/4172-566-0x00000000005A0000-0x0000000000AD8000-memory.dmp

memory/4172-567-0x0000000003E40000-0x0000000004240000-memory.dmp

memory/4172-568-0x0000000003E40000-0x0000000004240000-memory.dmp

memory/4172-569-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp

memory/4172-571-0x00000000758C0000-0x0000000075AD5000-memory.dmp

memory/3980-572-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/4172-587-0x00000000005A0000-0x0000000000AD8000-memory.dmp

memory/3596-588-0x0000000002660000-0x0000000002A60000-memory.dmp

memory/3596-591-0x00000000758C0000-0x0000000075AD5000-memory.dmp

memory/3596-589-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp

memory/3980-586-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-585-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-584-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-583-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-582-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-581-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-580-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3596-575-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

memory/3980-574-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/3980-573-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

memory/1664-599-0x0000000140000000-0x0000000140519000-memory.dmp

memory/1664-597-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 001963fde7827d92a484a1cee6e72178
SHA1 4ec97927df44f41fc5b8b3eb830b572387d60981
SHA256 5c39d7d4a8b9081c86d8605ce5bcc6365dd98e792d9c658d8f30bc74bb74e9d4
SHA512 b319dab98ce7164fa27bfd6c1616b0bce342a3ca55fc93d17c5c408ad3554f82acad076f5742495e81a17b9cbcd8cce9109f26f11b3744a174b261cc53f40c45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 317a3873949725053187c11c366eba36
SHA1 a100df86e55825e5dd56ffcc248aa539b5f94d28
SHA256 b66e06dfada7b2e70b4f25263dbeb8b1e2bdd8d20851982f58c15c1b63d8791b
SHA512 6b94606d5e28fb8abadec55401038b95758077b9d9a8358abf8295dd0db83b5661c86d27db6e5b525c4c5ca419a757f4176995199d40f3548a32b13f69b3e322

memory/400-620-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp

memory/400-621-0x0000000140000000-0x0000000140F26000-memory.dmp

memory/396-624-0x000001B2DB5E0000-0x000001B2DB602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40yikmot.203.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Windows\system32\drivers\etc\hosts

MD5 5a624fe0d3f6f460b485035054b22c21
SHA1 2d8a3557572a4b605ef34aedbeb8173beb2c1c38
SHA256 8fe25ed6498e37c488f3969ddafa5bbd6400ddc15bc81e8b926d03927a60f4fa
SHA512 aa20e24532cdbc6b2faac5e79c75627ba8ede7ce48e262406f82360033473001e1e6d52dce7039e5669a3df3e83d7bf184c699b73153aca6017371747417555a

memory/516-642-0x0000000140000000-0x0000000140F26000-memory.dmp

memory/1988-663-0x000002521DCC0000-0x000002521DCDC000-memory.dmp

memory/1988-664-0x000002521DCE0000-0x000002521DD95000-memory.dmp

memory/1988-665-0x000002521DDA0000-0x000002521DDAA000-memory.dmp

memory/1988-666-0x000002521DF10000-0x000002521DF2C000-memory.dmp

memory/1988-667-0x000002521DEF0000-0x000002521DEFA000-memory.dmp

memory/1988-668-0x000002521DF50000-0x000002521DF6A000-memory.dmp

memory/1988-669-0x000002521DF00000-0x000002521DF08000-memory.dmp

memory/1988-670-0x000002521DF30000-0x000002521DF36000-memory.dmp

memory/1988-671-0x000002521DF40000-0x000002521DF4A000-memory.dmp

memory/2604-679-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2604-678-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2604-677-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2604-676-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2604-675-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2604-683-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4400-690-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-688-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-685-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-692-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-689-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-695-0x00000000010C0000-0x00000000010E0000-memory.dmp

memory/4400-694-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-696-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-698-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-697-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-700-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-699-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-691-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-687-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-686-0x0000000140000000-0x000000014082C000-memory.dmp

memory/4400-684-0x0000000140000000-0x000000014082C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 55ff5316a434db27e35b898342428edc
SHA1 2d8a15f959de63e4a1e193f220f0ddf924a1de6b
SHA256 7516ffe74c45ab0ee9c41f7a511523228c637b928b10998ae41f8f3bad3afa0f
SHA512 6c7e4cb95999af30ca44461519a65a57dc688249bbd53fdf756e8200d9935c588630610ef10cadeec822edb56413de85b33c4227de71ad434fa6342258db157e

memory/4400-714-0x0000000140000000-0x000000014082C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8e8d960298d286bb41c54f29e4764648
SHA1 9cb2f43c02bec6d28ba1a8c4f6c23ffcb962f85d
SHA256 479ae1e89ea96e6931aef6206c3a5a4851573d4d36a554d299eb3b398fc0d53a
SHA512 dbb23789ab8b65427ba81b9bd24e543bef94acecd3f325ba27ae7bba14c71a27944276dfa66467f62c266de19ada40ce230dfda6daecf4c9942c351c485ece54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c1c97a6dd430b6a72a81949e853d1ffa
SHA1 b1bdd0c72669a4d2ba3045fbd6a38e3511267eb3
SHA256 23a3d761089214bacb77866597e26f4989b59c784eefad81f0f9f0ea58e8c788
SHA512 3f94256484b1cd4e4bff0f4d752fab1d38533b94c4d54fa6ac2a0be8295d6e8af3ea074d45a09cb6351cdf6fb1ff26e98c8de047a3b32cc65eb5a602e273d6e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

MD5 d196a82469fd12e1a551b3edc811b40d
SHA1 ad60592d82e593ecf21200424769996d7cda3d2c
SHA256 773175166e49b1b276f17ae641201babf362ff3f1a59750285c7fb84f5f896c8
SHA512 ab9cd02897c35ebd822fddc9dd7036ad964bbb8ee088d668a5d9483c3c25fa34b8860c7e408e08cb3bae85fc7a54987b6c5ed5526859deb64b9741d6a8262c29

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

MD5 18905174783451f915ad6954aff4dcb3
SHA1 e6f280b54613b926faca887b6d8c24f617a404d0
SHA256 00968cb623530d55cfe5c4b4aceaf78a30b6601349b8f21035d04449b6791b79
SHA512 7cf9379b77c0c047a1c260e5a53c64d4df6308d439b7481f777d0118ec96356ed3443e0f7e7e356f807e07c3ed1f17d34ebad68af71a8911dc5b9dbaab59c8a5

memory/720-750-0x0000000140000000-0x0000000140519000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 05d8060508563ca42c27ed1c4375b35e
SHA1 a2cefbc418445a5368455a9e3fd5af26c54c5f77
SHA256 4f32aedd8e39fdd3bf4be02f76cb5e54da0a4f8a48b0dcbd54fb15f0fc8aec4c
SHA512 cee7d83d5f123d4420ea6ce5988fae037470a50e358ba83f2f6a54d418d6c1e4ba576165438aee180c262adc3f9527b1169bfc8150abbd3c31f84c2aa55cc346

memory/1416-768-0x00000000001A0000-0x00000000006D8000-memory.dmp

memory/1416-769-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/628-777-0x00000000001A0000-0x00000000006D8000-memory.dmp

memory/1416-795-0x00000000001A0000-0x00000000006D8000-memory.dmp

memory/628-799-0x00000000001A0000-0x00000000006D8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0ca77316ec4384257fbf25b9b7dc0ff4
SHA1 89a5d6f3d4483aef71b56c060580d46ef52f56e1
SHA256 916ed674234ddf564848ba5c662d228edb7082ada82e014b00c6297ae228b6b1
SHA512 ed25fbbe048f4207363f81b4c84d29b2b00260824c022cd0d03597f666fd04cb29ed0f6fb2d0efc863ccb9985e143eb8369c525d1d44efc7186657a51f11c474

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 84ddfd8a129439bbbd49e862e383fffd
SHA1 fb1185a843d182bfcc771162c630a225dc076f2c
SHA256 712a3d4df0fad812634680e0b074db50921cc0664c06dc8fc83b16a375b7eb1d
SHA512 bd40a7f0344750fc4ea77346d5bacc662673e230a01f718a9fcbddf41d8faec57dde16998d0b53e9cefe0572a99855288f628fd68f739c5907221f563561cbee

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 82cd390c290cdd13f5128744a443f715
SHA1 cb0f603ed47c16292225da597d87e9764b590247
SHA256 f954bc998604b64ea7c29c391b54d3b03f3629b306b2620883719094ff0ad514
SHA512 6a9eeaaccb28e6ecc971b748faec36854ede5db8bbdd689b4ce7348ec63295593625aad9618609291c68bb142dded92a619bec676261405cf11ceb104b608fd6

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

memory/2644-876-0x00000263A1670000-0x00000263A1725000-memory.dmp

memory/4724-882-0x0000000000390000-0x00000000008C8000-memory.dmp

memory/4724-899-0x0000000000390000-0x00000000008C8000-memory.dmp