Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-3dznkahf5x
Target dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3
SHA256 dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3
Tags
amadey evasion spyware stealer trojan risepro persistence themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3

Threat Level: Known bad

The file dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3 was found to be: Known bad.

Malicious Activity Summary

amadey evasion spyware stealer trojan risepro persistence themida

Amadey

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Checks BIOS information in registry

Identifies Wine through registry keys

Reads WinSCP keys stored on the system

Checks computer location settings

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Executes dropped EXE

Reads local data of messenger clients

Checks whether UAC is enabled

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:24

Reported

2024-04-07 23:27

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3420 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3420 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 3216 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3216 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3216 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 5096 wrote to memory of 888 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5096 wrote to memory of 888 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 888 wrote to memory of 3972 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 888 wrote to memory of 3972 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 888 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 2704 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3216 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3216 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe

"C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3420-0-0x0000000000BB0000-0x0000000001083000-memory.dmp

memory/3420-1-0x00000000776F4000-0x00000000776F6000-memory.dmp

memory/3420-2-0x0000000000BB0000-0x0000000001083000-memory.dmp

memory/3420-9-0x0000000005710000-0x0000000005711000-memory.dmp

memory/3420-8-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/3420-7-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/3420-6-0x0000000005720000-0x0000000005721000-memory.dmp

memory/3420-5-0x00000000056D0000-0x00000000056D1000-memory.dmp

memory/3420-4-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/3420-3-0x00000000056E0000-0x00000000056E1000-memory.dmp

memory/3420-11-0x0000000005730000-0x0000000005731000-memory.dmp

memory/3420-10-0x0000000005740000-0x0000000005741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 9f292a26e38da76726a9579fb22ded27
SHA1 ba6ac6fc4e4894c2bdfb8e2009cd4bc479f7d641
SHA256 dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3
SHA512 5961b3cef616529b5ea884cc4b922d999fe248aaf65de1e138e7d6282d2bc6723481785d4f94932df577c1db4c783585ea91b6f20b5b750af4a363d7e1d458b9

memory/3216-23-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3420-22-0x0000000000BB0000-0x0000000001083000-memory.dmp

memory/3216-28-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/3216-29-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/3216-30-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/3216-27-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/3216-26-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/3216-25-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-31-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/3216-33-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/3216-32-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/3216-34-0x0000000000FA0000-0x0000000001473000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

memory/2704-47-0x00000201202C0000-0x00000201202E2000-memory.dmp

memory/2704-48-0x00007FFEC2F30000-0x00007FFEC39F1000-memory.dmp

memory/2704-54-0x0000020120320000-0x0000020120330000-memory.dmp

memory/3216-59-0x0000000000FA0000-0x0000000001473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujbjake2.hhb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2704-60-0x0000020120320000-0x0000020120330000-memory.dmp

memory/2704-61-0x0000020120320000-0x0000020120330000-memory.dmp

memory/2704-63-0x00000201202F0000-0x00000201202FA000-memory.dmp

memory/2704-62-0x00000201226E0000-0x00000201226F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Files_\SkipPing.xlsx

MD5 00b9bd99f77147b05400755cf0248fa0
SHA1 e433ee59803752c364de3abd3a40b15b340669c5
SHA256 3fb67b2de882c9e885c86e8bbb656c90ef2e36fedda26ea3750a22048b396146
SHA512 f4488bb965295ac454f8904298cc47bdeeaea79c8eb1d9c93d7567c140c9f69375fa2ebb7ff03b0b5e968d1da82e0d3ec7429f2118547dbafcd31ce2e6abb47d

memory/2704-68-0x00007FFEC2F30000-0x00007FFEC39F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip

MD5 770ccdfe41fa3e9ecac485aaceda04eb
SHA1 335f312bfefd30b7d11a023710944860206f7e1c
SHA256 c22052cee041307322d24b30d669040333bf52ce1e5115e3fe64bfcc4e23a9af
SHA512 d32aa96c5a8b68d6ae0eae34d7e3700496b415663c65fed70cabd8255d959f67e11c94339df4983e88df1b988ee5a95755717c7676a1fbb6c890cfda0c0d3abe

memory/688-71-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-72-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/688-79-0x0000000004E30000-0x0000000004E31000-memory.dmp

memory/688-78-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/688-77-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

memory/688-76-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/688-75-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/688-74-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/688-73-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/688-80-0x0000000000FA0000-0x0000000001473000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

memory/3216-91-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-92-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-93-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-94-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-95-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/2956-97-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/2956-105-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/2956-104-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/2956-103-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/2956-102-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/2956-101-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/2956-100-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/2956-99-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/2956-98-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/2956-106-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-107-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-108-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-109-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-110-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-111-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-112-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/220-114-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/220-120-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/220-119-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/220-121-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/220-118-0x0000000005120000-0x0000000005121000-memory.dmp

memory/220-117-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/220-116-0x0000000005100000-0x0000000005101000-memory.dmp

memory/220-115-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/220-122-0x0000000000FA0000-0x0000000001473000-memory.dmp

memory/3216-123-0x0000000000FA0000-0x0000000001473000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:24

Reported

2024-04-07 23:27

Platform

win11-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\b5eac82724.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\b5eac82724.exe" C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorha.job C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133570058997070035" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 784 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 784 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2616 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe
PID 2616 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe
PID 2616 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe
PID 2616 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2616 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2616 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
PID 2616 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2616 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 2616 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Windows\SysWOW64\rundll32.exe
PID 3440 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3440 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4720 wrote to memory of 4120 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4720 wrote to memory of 4120 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 2616 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
PID 4720 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4720 wrote to memory of 2312 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe
PID 2616 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe
PID 2616 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe
PID 4716 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4716 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1032 wrote to memory of 1840 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe

"C:\Users\Admin\AppData\Local\Temp\dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe

"C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff99d8b9758,0x7ff99d8b9768,0x7ff99d8b9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 --field-trial-handle=1796,i,1690341000729581748,11041127471277431160,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Network

Country Destination Domain Proto
RU 193.233.132.56:80 193.233.132.56 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 56.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
RU 193.233.132.56:80 193.233.132.56 tcp
DE 216.58.206.46:443 www.youtube.com tcp
DE 216.58.212.142:443 consent.youtube.com tcp
US 8.8.8.8:53 142.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.185.250.142.in-addr.arpa udp
DE 172.217.16.196:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 216.58.212.142:443 consent.youtube.com udp
RU 193.233.132.56:80 193.233.132.56 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 172.217.18.110:443 play.google.com tcp
DE 172.217.18.110:443 play.google.com udp
DE 216.58.212.142:443 consent.youtube.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
DE 216.58.212.142:443 consent.youtube.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp

Files

memory/784-0-0x0000000000A00000-0x0000000000ED3000-memory.dmp

memory/784-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

memory/784-8-0x0000000005640000-0x0000000005641000-memory.dmp

memory/784-7-0x0000000005610000-0x0000000005611000-memory.dmp

memory/784-6-0x0000000005600000-0x0000000005601000-memory.dmp

memory/784-5-0x0000000005660000-0x0000000005661000-memory.dmp

memory/784-4-0x0000000005620000-0x0000000005621000-memory.dmp

memory/784-3-0x0000000005630000-0x0000000005631000-memory.dmp

memory/784-2-0x0000000000A00000-0x0000000000ED3000-memory.dmp

memory/784-10-0x0000000005680000-0x0000000005681000-memory.dmp

memory/784-9-0x0000000005690000-0x0000000005691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 9f292a26e38da76726a9579fb22ded27
SHA1 ba6ac6fc4e4894c2bdfb8e2009cd4bc479f7d641
SHA256 dde4b75153f96d21a76e349a0b6710c5031a5197e8aa3ac7fb7ee1d6cb3899e3
SHA512 5961b3cef616529b5ea884cc4b922d999fe248aaf65de1e138e7d6282d2bc6723481785d4f94932df577c1db4c783585ea91b6f20b5b750af4a363d7e1d458b9

memory/784-22-0x0000000000A00000-0x0000000000ED3000-memory.dmp

memory/2616-23-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2616-24-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2616-26-0x0000000005190000-0x0000000005191000-memory.dmp

memory/2616-25-0x0000000005180000-0x0000000005181000-memory.dmp

memory/2616-31-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/2616-30-0x0000000005160000-0x0000000005161000-memory.dmp

memory/2616-29-0x0000000005150000-0x0000000005151000-memory.dmp

memory/2616-28-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/2616-27-0x0000000005170000-0x0000000005171000-memory.dmp

memory/2616-33-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/2616-32-0x00000000051E0000-0x00000000051E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000042001\b5eac82724.exe

MD5 3edac80b993a482f7112524ab56c8ab0
SHA1 e9aca74db0ddbbc6eccf8039a7c7a892fe3f746c
SHA256 5af1635dd01cd83fc6c9bb03f52f066ff9fd2c8e6e5a9260f71288fba4fe438d
SHA512 e7afb65176dcc69c8af46da866a4ba762ee1fe039a94089a1ed6f61d6ee4845c1fdd32f9cfbf343399db3cffc8bbb5a5ef81d0f78face4d1262e5e736c64b45b

memory/2848-52-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-53-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-55-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-54-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-56-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-57-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-58-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2848-59-0x0000000000780000-0x0000000000F21000-memory.dmp

memory/2616-60-0x0000000000160000-0x0000000000633000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

MD5 5c1591069b7d16c4e1c354e8589e3e29
SHA1 0822e58e1d4674a3ae29351a4eea38012616efd4
SHA256 fe04a0fbd786f1f69cb8716383383149a910de26bfed62ea9611f2ff357cb869
SHA512 82bd3a6343ab833702b327652f45cbd92b53f41e9e4caa25b1b589041f6c9963057e378ff5cf48880e6f63c3c588379d693da57dff858abe822ce8bf034e1253

memory/3764-89-0x0000000000B20000-0x0000000000FE9000-memory.dmp

memory/2616-90-0x0000000000160000-0x0000000000633000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckgzzxyr.3cm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2312-99-0x000001D2FA7F0000-0x000001D2FA812000-memory.dmp

memory/2312-100-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

memory/2312-101-0x000001D2FA6E0000-0x000001D2FA6F0000-memory.dmp

memory/2312-103-0x000001D2FA6E0000-0x000001D2FA6F0000-memory.dmp

memory/2312-102-0x000001D2FA6E0000-0x000001D2FA6F0000-memory.dmp

memory/3764-104-0x0000000005370000-0x0000000005371000-memory.dmp

memory/3764-105-0x0000000005380000-0x0000000005381000-memory.dmp

memory/3764-107-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/3764-106-0x0000000005360000-0x0000000005361000-memory.dmp

memory/3764-110-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/3764-109-0x0000000005350000-0x0000000005351000-memory.dmp

memory/2616-111-0x0000000000160000-0x0000000000633000-memory.dmp

memory/3764-108-0x0000000005340000-0x0000000005341000-memory.dmp

memory/3764-112-0x0000000000B20000-0x0000000000FE9000-memory.dmp

memory/2312-114-0x000001D2FA860000-0x000001D2FA86A000-memory.dmp

memory/2312-113-0x000001D2FA880000-0x000001D2FA892000-memory.dmp

memory/2312-120-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

memory/3764-122-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/3764-123-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/3764-127-0x0000000000B20000-0x0000000000FE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000051001\075090709f.exe

MD5 c1a04495bca429962b8b3344fa8684a2
SHA1 b6f77a13ad98d5cdd56152fe0ff1fca62aeb286c
SHA256 4896377dfe62c7180cc960702291f7467ec7a2209b207cbfd63ccf27f29af524
SHA512 1cbb5fa5a027898dff3bf12c7c2428f56243b21b5f99101f235ae0dc2283a8421f68667f95e7ab1b6c8ec32d62f2f5d41a2f736dcbf5b0bce087ae317406afd4

\??\pipe\crashpad_1032_OIZPWBHOLZWHPQSS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2848-160-0x0000000000780000-0x0000000000F21000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

memory/2616-177-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-178-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2568-179-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2568-181-0x0000000005080000-0x0000000005081000-memory.dmp

memory/2568-180-0x0000000005090000-0x0000000005091000-memory.dmp

memory/2568-185-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/2568-184-0x0000000005070000-0x0000000005071000-memory.dmp

memory/2568-183-0x0000000005060000-0x0000000005061000-memory.dmp

memory/2568-182-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/4488-187-0x0000000000160000-0x0000000000633000-memory.dmp

memory/4488-188-0x0000000000160000-0x0000000000633000-memory.dmp

memory/4488-194-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

memory/4488-193-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/4488-192-0x0000000004F90000-0x0000000004F91000-memory.dmp

memory/4488-191-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/4488-190-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/4488-189-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

memory/2568-195-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/2568-196-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/4488-197-0x0000000000160000-0x0000000000633000-memory.dmp

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6e4553775178e3d9f1f9f9f96d60bcc8
SHA1 fe64c2ca99271d4aac25ab5d0385d3b152db309c
SHA256 2290142824f650f34a2dc4be745f86f24c1aeadd300710a98a26b8c354f90328
SHA512 714a5b8bb415fc5189fb77a73c2fd63fd52a7ad7b1d407b58baf07892419e058fa82a54baecc2681bf5b5c32d81f5753f794e2d58bd631f69d3df3b27f695bd0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4d09c03df069826a551f2a001ca81187
SHA1 ce97d3810e33dd41be5901dc488e3c55a9a090f6
SHA256 21784c29a27499d2d105b45dd0b10cfa62f617b30726ad3e636d148751d5f843
SHA512 9fdbeb521214e3460ba2d5d32e73e0f095f48335db5db4fe48c81694ff9e3305aeccf46c31bab314097a195fae26a1f89cd5b43127a18321f22e06f84dfb13cb

memory/2568-221-0x0000000000720000-0x0000000000BE9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 16130e2b9d37ebbcfbfdcb49920350c4
SHA1 ec9e73d3eb8f5027df2ccd2afd686d432bf74f95
SHA256 bb411f52d9434cbcd834667668a6716a76ebb7b2571dad3e7ec6f266527337f2
SHA512 62a2ebb4b82510eba2680bc844ac6be2d491abdf0b0fa8ecfb22677e1b39d73dcd8befa35f9f9de4ab150e52b83b4ba2ed97b9ea023f47ab8f5efc5faa5b7e0f

memory/2616-229-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-230-0x0000000000720000-0x0000000000BE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ae626d9a72417b14570daa8fcd5d34a4
SHA1 c103ebaf4d760df722d620df87e6f07c0486439f
SHA256 52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512 a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

memory/3472-245-0x00007FF99A700000-0x00007FF99B1C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85b9cc9025322c39ee862e74568559fe
SHA1 100c4c6c0b341a09d8ebcc471bb326a12e700997
SHA256 861fa36fed0da433242f961cd6b05a01b6f6f1f04ab2c9555cfc357469e57951
SHA512 e88cb9995edd0f0ef57d77798c0d949a287b7b92f430e669cfd55197395f9a7298081aa49aef4f0f315845d524c139774ebb2f8e83261f9c731e033671bf3cd8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6aeddc4b7eb337c67ca5c379e1a5c422
SHA1 74be24d26f929f502c2b1aa62e2ca285ce16a3b4
SHA256 352c2302b9a1c85a89e745df2a1ccce7d4fb3790856db9e271ad0679c8ca66d2
SHA512 f2c6621e8f862c05cf23ed32cc30deece0434ba96bca848245fe10665cd357216ab66736c2454cd829e18ce626e163e76ced3caef83765fbd79e63a17817eb7b

memory/2616-271-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-272-0x0000000000720000-0x0000000000BE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/2616-285-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-286-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-297-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-298-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-300-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-301-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-304-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-305-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/1876-315-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2616-326-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-327-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-329-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-330-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-332-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-333-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-335-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-336-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-338-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-339-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/2616-346-0x0000000000160000-0x0000000000633000-memory.dmp

memory/2568-347-0x0000000000720000-0x0000000000BE9000-memory.dmp

memory/1804-358-0x0000000000160000-0x0000000000633000-memory.dmp