Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-2xvchsha5z
Target 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
SHA256 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
Tags
amadey risepro evasion persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40

Threat Level: Known bad

The file 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40 was found to be: Known bad.

Malicious Activity Summary

amadey risepro evasion persistence spyware stealer themida trojan

Amadey

RisePro

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Reads WinSCP keys stored on the system

Themida packer

Reads user/profile data of web browsers

Checks computer location settings

Reads local data of messenger clients

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 22:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 22:58

Reported

2024-04-07 23:00

Platform

win7-20240221-en

Max time kernel

38s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\adc0011383.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\adc0011383.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2320 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2680 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe
PID 2680 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe
PID 2680 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe
PID 2680 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe
PID 2680 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2680 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2680 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2680 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2680 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2680 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe
PID 2680 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe
PID 2680 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe
PID 2680 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe
PID 2832 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2832 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2832 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2832 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1080 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1132 wrote to memory of 1336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe

"C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6689758,0x7fef6689768,0x7fef6689778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3212 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\452737119395_Desktop.zip' -CompressionLevel Optimal

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

Network

Country Destination Domain Proto
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 www.youtube.com udp
DE 216.58.212.174:443 www.youtube.com tcp
DE 216.58.212.174:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
DE 142.250.185.78:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
RU 193.233.132.56:80 193.233.132.56 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 consent.youtube.com udp
DE 142.250.185.78:443 consent.youtube.com udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 play.google.com udp
DE 172.217.23.110:443 play.google.com tcp
DE 172.217.23.110:443 play.google.com udp
DE 142.250.185.78:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 google.com udp
DE 142.250.186.46:443 google.com tcp
DE 142.250.186.46:443 google.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp

Files

memory/2320-0-0x00000000013E0000-0x000000000189F000-memory.dmp

memory/2320-1-0x0000000077070000-0x0000000077072000-memory.dmp

memory/2320-2-0x00000000013E0000-0x000000000189F000-memory.dmp

memory/2320-12-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2320-13-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2320-11-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/2320-10-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2320-9-0x0000000000930000-0x0000000000931000-memory.dmp

memory/2320-8-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2320-7-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2320-6-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/2320-5-0x0000000000980000-0x0000000000981000-memory.dmp

memory/2320-4-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2320-3-0x00000000009A0000-0x00000000009A2000-memory.dmp

memory/2320-14-0x0000000000920000-0x0000000000921000-memory.dmp

memory/2320-15-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/2320-17-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2320-18-0x0000000000E70000-0x0000000000E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 7f40d98b2ba64348358fd75b5f0bdcfb
SHA1 e9f33ceeac6b2de2f63f9e73902b2926ba61364c
SHA256 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
SHA512 c275ae0f9199f7fc024565e55afdbd952ad46ebcb890018acd22893e6e063a1db0e995fae77fc6e3a2ccb0971666e7ca5b920f4e8fc75b39f830bc0f45799abd

memory/2680-29-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2320-28-0x00000000013E0000-0x000000000189F000-memory.dmp

memory/2320-26-0x0000000007280000-0x000000000773F000-memory.dmp

memory/2680-30-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-31-0x00000000025F0000-0x00000000025F2000-memory.dmp

memory/2680-39-0x0000000002900000-0x0000000002901000-memory.dmp

memory/2680-41-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2680-40-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2680-38-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2680-37-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2680-36-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2680-35-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2680-34-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2680-33-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/2680-32-0x0000000002850000-0x0000000002851000-memory.dmp

memory/2680-44-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2680-43-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2680-45-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2680-46-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe

MD5 3edac80b993a482f7112524ab56c8ab0
SHA1 e9aca74db0ddbbc6eccf8039a7c7a892fe3f746c
SHA256 5af1635dd01cd83fc6c9bb03f52f066ff9fd2c8e6e5a9260f71288fba4fe438d
SHA512 e7afb65176dcc69c8af46da866a4ba762ee1fe039a94089a1ed6f61d6ee4845c1fdd32f9cfbf343399db3cffc8bbb5a5ef81d0f78face4d1262e5e736c64b45b

memory/2680-60-0x0000000006E00000-0x00000000075A1000-memory.dmp

memory/2892-62-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-63-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-61-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-64-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-65-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-67-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-66-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2892-68-0x00000000009A0000-0x0000000001141000-memory.dmp

memory/2680-72-0x000000000AC90000-0x000000000B14F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

MD5 5c1591069b7d16c4e1c354e8589e3e29
SHA1 0822e58e1d4674a3ae29351a4eea38012616efd4
SHA256 fe04a0fbd786f1f69cb8716383383149a910de26bfed62ea9611f2ff357cb869
SHA512 82bd3a6343ab833702b327652f45cbd92b53f41e9e4caa25b1b589041f6c9963057e378ff5cf48880e6f63c3c588379d693da57dff858abe822ce8bf034e1253

memory/2680-89-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-90-0x0000000006E00000-0x00000000072C9000-memory.dmp

memory/2436-91-0x00000000001E0000-0x00000000006A9000-memory.dmp

memory/2680-92-0x0000000006E00000-0x00000000072C9000-memory.dmp

memory/2436-105-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2436-104-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/2436-103-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2436-106-0x00000000001E0000-0x00000000006A9000-memory.dmp

memory/2436-102-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2436-101-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2436-100-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/2436-99-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/2436-98-0x00000000008C0000-0x00000000008C1000-memory.dmp

memory/2436-97-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2436-96-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2436-95-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2436-94-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2680-93-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-116-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2436-124-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2680-126-0x0000000006E00000-0x00000000075A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe

MD5 c1a04495bca429962b8b3344fa8684a2
SHA1 b6f77a13ad98d5cdd56152fe0ff1fca62aeb286c
SHA256 4896377dfe62c7180cc960702291f7467ec7a2209b207cbfd63ccf27f29af524
SHA512 1cbb5fa5a027898dff3bf12c7c2428f56243b21b5f99101f235ae0dc2283a8421f68667f95e7ab1b6c8ec32d62f2f5d41a2f736dcbf5b0bce087ae317406afd4

memory/2436-125-0x00000000001E0000-0x00000000006A9000-memory.dmp

memory/2436-120-0x0000000000950000-0x0000000000951000-memory.dmp

memory/2436-118-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2436-117-0x00000000022C0000-0x00000000022C1000-memory.dmp

\??\pipe\crashpad_1132_PUBKMITYVUHASYXQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

memory/2892-173-0x00000000009A0000-0x0000000001141000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/2228-224-0x000000001B850000-0x000000001BB32000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/2680-253-0x00000000003C0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/2680-276-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-282-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-284-0x00000000003C0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 89568b34294355d476f540f23bc0c621
SHA1 a735296c8f31e3e8f6680be897d0fcff3254aa1f
SHA256 8a6f9a1060403dfd0984c6405bf024cd0baa90387e27f0b426f5fcf6228f3ecb
SHA512 7ad9052eda3dbbd02f1ca4adc8416d3e8f1b4435d854a9f1b3b77ce892ffb3727958021d24dabc7cdf920cc340ef8e22df663c6010a1c3fcebc8fa426b6952cc

memory/2680-293-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-297-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-299-0x00000000003C0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c4961780eb61c7839d1ca21859d725c1
SHA1 3b418052ae19f62cb6d432da4f7fc67737c7504c
SHA256 304cb937eafa81f255a24dc7dfc4af7f9e4eee65151c1df795e30e6e14be8e74
SHA512 4cec58bec51ed32cfc1b4aa4e6bae6a37f960a84f0372bafad5f04bdf9be9751da953d3ad39d774f2c22e6acc51f4cd562325750557ec2b7e6b5c00acdfbf686

memory/2680-312-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-314-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-316-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-318-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-320-0x00000000003C0000-0x000000000087F000-memory.dmp

memory/2680-322-0x00000000003C0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ef61562c2d2fc1bb55c319611e9f6f01
SHA1 29beb784232fabd146b76ed2bb592aa64364d5f6
SHA256 7be3218d5edd9169dccaabbb1f988094dbd9bd7159ffbda9132561bb6d89ce78
SHA512 3654bc7e8d52e92dae200eb1006ede2c9dc65db8b17323993543620fe609426cc75f3d063d94ff8646156d5fce6ddb94b338d03c05998ef886a58ea4948b2f01

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 22:58

Reported

2024-04-07 23:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570043204761035" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3356 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3356 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe
PID 404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe
PID 404 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 404 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 404 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 404 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 404 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 404 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 404 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2964 wrote to memory of 3924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2964 wrote to memory of 3924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 404 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe
PID 404 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe
PID 404 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe
PID 3924 wrote to memory of 4848 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3924 wrote to memory of 4848 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 64 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 64 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 4500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 4500 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3924 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4792 wrote to memory of 3208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe

"C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca1a99758,0x7ffca1a99768,0x7ffca1a99778

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3684 --field-trial-handle=1688,i,17406593953982927397,11668463940740309418,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 www.youtube.com udp
DE 216.58.212.174:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
DE 142.250.185.78:443 consent.youtube.com tcp
US 8.8.8.8:53 131.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
US 8.8.8.8:53 227.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
DE 142.250.185.78:443 consent.youtube.com udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
DE 172.217.23.110:443 play.google.com tcp
DE 172.217.23.110:443 play.google.com udp
US 8.8.8.8:53 110.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 142.250.185.78:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 216.239.32.116:443 beacons4.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 116.32.239.216.in-addr.arpa udp

Files

memory/3356-0-0x0000000000920000-0x0000000000DDF000-memory.dmp

memory/3356-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

memory/3356-2-0x0000000000920000-0x0000000000DDF000-memory.dmp

memory/3356-4-0x0000000005160000-0x0000000005161000-memory.dmp

memory/3356-3-0x0000000005150000-0x0000000005151000-memory.dmp

memory/3356-5-0x0000000005140000-0x0000000005141000-memory.dmp

memory/3356-7-0x0000000005120000-0x0000000005121000-memory.dmp

memory/3356-6-0x0000000005180000-0x0000000005181000-memory.dmp

memory/3356-8-0x0000000005130000-0x0000000005131000-memory.dmp

memory/3356-10-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/3356-9-0x00000000051B0000-0x00000000051B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 7f40d98b2ba64348358fd75b5f0bdcfb
SHA1 e9f33ceeac6b2de2f63f9e73902b2926ba61364c
SHA256 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
SHA512 c275ae0f9199f7fc024565e55afdbd952ad46ebcb890018acd22893e6e063a1db0e995fae77fc6e3a2ccb0971666e7ca5b920f4e8fc75b39f830bc0f45799abd

memory/404-23-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/3356-21-0x0000000000920000-0x0000000000DDF000-memory.dmp

memory/404-24-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/404-25-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/404-28-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/404-27-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/404-26-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/404-29-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/404-30-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/404-31-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/404-32-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042001\f770f38967.exe

MD5 3edac80b993a482f7112524ab56c8ab0
SHA1 e9aca74db0ddbbc6eccf8039a7c7a892fe3f746c
SHA256 5af1635dd01cd83fc6c9bb03f52f066ff9fd2c8e6e5a9260f71288fba4fe438d
SHA512 e7afb65176dcc69c8af46da866a4ba762ee1fe039a94089a1ed6f61d6ee4845c1fdd32f9cfbf343399db3cffc8bbb5a5ef81d0f78face4d1262e5e736c64b45b

memory/2316-51-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-52-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-53-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-54-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-55-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-56-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-57-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/2316-58-0x00000000004B0000-0x0000000000C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

MD5 5c1591069b7d16c4e1c354e8589e3e29
SHA1 0822e58e1d4674a3ae29351a4eea38012616efd4
SHA256 fe04a0fbd786f1f69cb8716383383149a910de26bfed62ea9611f2ff357cb869
SHA512 82bd3a6343ab833702b327652f45cbd92b53f41e9e4caa25b1b589041f6c9963057e378ff5cf48880e6f63c3c588379d693da57dff858abe822ce8bf034e1253

memory/404-75-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/1952-77-0x0000000000980000-0x0000000000E49000-memory.dmp

memory/1952-78-0x0000000000980000-0x0000000000E49000-memory.dmp

memory/1952-80-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/1952-79-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/1952-81-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/1952-82-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/1952-83-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/1952-84-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/1952-85-0x0000000004A50000-0x0000000004A51000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\1000051001\4b00018890.exe

MD5 c1a04495bca429962b8b3344fa8684a2
SHA1 b6f77a13ad98d5cdd56152fe0ff1fca62aeb286c
SHA256 4896377dfe62c7180cc960702291f7467ec7a2209b207cbfd63ccf27f29af524
SHA512 1cbb5fa5a027898dff3bf12c7c2428f56243b21b5f99101f235ae0dc2283a8421f68667f95e7ab1b6c8ec32d62f2f5d41a2f736dcbf5b0bce087ae317406afd4

memory/1952-103-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/1952-104-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/1952-121-0x0000000000980000-0x0000000000E49000-memory.dmp

memory/404-124-0x0000000000F70000-0x000000000142F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4u1yiijc.j5q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1128-131-0x0000019E49310000-0x0000019E49332000-memory.dmp

\??\pipe\crashpad_4792_LLAYFPZRAOBVLUVL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1128-142-0x00007FFCA0E70000-0x00007FFCA1931000-memory.dmp

memory/2316-143-0x00000000004B0000-0x0000000000C51000-memory.dmp

memory/1128-144-0x0000019E487E0000-0x0000019E487F0000-memory.dmp

memory/1128-145-0x0000019E487E0000-0x0000019E487F0000-memory.dmp

memory/404-146-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/1128-158-0x0000019E49590000-0x0000019E495A2000-memory.dmp

memory/1128-166-0x0000019E49580000-0x0000019E4958A000-memory.dmp

memory/1128-173-0x00007FFCA0E70000-0x00007FFCA1931000-memory.dmp

memory/404-174-0x0000000000F70000-0x000000000142F000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6f7447e9663564f4abef83916133ccbc
SHA1 14e2a5ec0219d06daee44f3293644117d0f32cf9
SHA256 09bfdaee3bb0e0aac4b48f3bce015a664b2da240fa62b6d265693c9bf8defb8d
SHA512 24f8c4abf410a28b96126e5edd5b21eb2682702b3a746538dd67f78e5644984ec6993a20880dc05bbff0e81075a664f2e3406362bebad8b2c71f79deec915ad0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 09f30f42c9eb5bcf0e045ef3ce4641b3
SHA1 66e75241dfd077fd9ddad8f49c7989e2d33761d5
SHA256 515ff91fe45be54a7fa66882765980f56b78e2eb7dcf8362a5954d36d842a997
SHA512 8fd33482322f7ef01ff7482751a788bc83164aa26c22f808b3a88df44df0721503252dcedfea3df250774238fb95bad96a97999fb492d45f4d9b325ab5582de4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 33aada6c6f59645f079dd0925cac6ce9
SHA1 72b05c6bd56fceb0f92db0f7c2dee8f94fbab711
SHA256 a35a86c2a80d0a28306c26fc1df1cf1da7053871cde9e5fb2e3ef4909242ccf4
SHA512 1e4df3a6c3a434a9cfb043535b048045e90481d16f55387c6cb0db047726562c67dbfb686a89d3c283f49cee47ecd1e9cb79c51850e6e993af93cf13804b1f90

memory/404-211-0x0000000000F70000-0x000000000142F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 c67882d297cb0fac720b6cd6c8b094a0
SHA1 b10574302365bda05866543f2fba6c6f2907dcc5
SHA256 3c422e04d9a5c6d368ac8ed8b307ffdde3eb43f3acdeb8eed2c56ca99930fe77
SHA512 d2ba15b4b27557cd2e4642ac44cbcdd4ce8c6a6d4fa506a5717564f2fc91e900c7b53e66f099c913df88512eb76e39c06fe1b302ae26a84fa0b1ea8fadd69160

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6ae2a7f0135ddef904b4bda062991b5b
SHA1 f3d0e883e85a37717d07ed5ef25d7616cec0ea73
SHA256 ef7c181e99c865c7aca6b5e9e439995de24cb791a98c84eebdfc4c2cdbd4fd63
SHA512 89bbb0d88ed525d2c05537f9350b33d2172dd1aa42652bd5fd437b488efe1257ea7d0dcb388e241ea8db407d47d17b1260dc7c9c13a154222c792f41129b0ba6

memory/404-233-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/2296-236-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-237-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/2296-238-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/2296-239-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/2296-240-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2296-242-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/2296-243-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/2296-241-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2296-244-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/4572-246-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

memory/4572-245-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/4572-247-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/4572-248-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/4572-249-0x0000000004F80000-0x0000000004F81000-memory.dmp

memory/4572-250-0x0000000004F90000-0x0000000004F91000-memory.dmp

memory/4572-251-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

memory/4572-252-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/2296-253-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-254-0x0000000005010000-0x0000000005011000-memory.dmp

memory/4572-255-0x0000000005000000-0x0000000005001000-memory.dmp

memory/404-261-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-262-0x0000000000A20000-0x0000000000EE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/4572-286-0x0000000000A20000-0x0000000000EE9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f5130f8643f9c281b6384704d27b900
SHA1 c384737918a1e492e8742800a251d31de1842de2
SHA256 e5a21b6e080bd51ab39ae0aa91aa0573951a52aafd2f021263141d0755e1cf8f
SHA512 ff471d00db8f4ec88cd0d52894e4f1a91ad32473cb173b7a5d431def9717cbe106c2ae431869651a3a9fc1801f9997a9d35d22a85cdb605ed98731e6dc129161

memory/1660-299-0x000002322D9B0000-0x000002322D9C0000-memory.dmp

memory/1660-297-0x00007FFCA06C0000-0x00007FFCA1181000-memory.dmp

memory/404-308-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-309-0x0000000000A20000-0x0000000000EE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/404-322-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-323-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/404-326-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-327-0x0000000000A20000-0x0000000000EE9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 8ed3c31edfd7ab2d46c77b80b9af14f9
SHA1 aa9d089353a3b9450919e005aa3b4cfa8a5d4b98
SHA256 76e07ba8fedd8bf7df7913073dd277f96032b3869d1b1fb4ccba8d4b6f13b61c
SHA512 3bf0851a4148f982d8d6adad0736cd48a1a524652c8d5c318ef92516b4c8c27ee24f63284356fe7c73921f47dbc0150404c15ad584d553ea9da5282473463caa

memory/404-343-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-344-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/404-347-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-348-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/2092-358-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/404-360-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-361-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/404-363-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-364-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/404-366-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-367-0x0000000000A20000-0x0000000000EE9000-memory.dmp

memory/404-374-0x0000000000F70000-0x000000000142F000-memory.dmp

memory/4572-375-0x0000000000A20000-0x0000000000EE9000-memory.dmp