Malware Analysis Report

2024-11-30 22:07

Sample ID 240704-cqm77ayhnn
Target ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe
SHA256 ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420
Tags
stealc jony discovery stealer amadey 4dd39d evasion spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420

Threat Level: Known bad

The file ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe was found to be: Known bad.

Malicious Activity Summary

stealc jony discovery stealer amadey 4dd39d evasion spyware trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 02:16

Reported

2024-07-04 02:19

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe"

Signatures

Stealc

stealer stealc

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe

"C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1108

Network

Country Destination Domain Proto
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp
RU 85.28.47.4:80 tcp

Files

memory/1716-0-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-1-0x000000007F3C0000-0x000000007F791000-memory.dmp

memory/1716-2-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-3-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-4-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-5-0x000000007F3C0000-0x000000007F791000-memory.dmp

memory/1716-6-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-7-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-8-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-9-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-10-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-11-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-12-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-13-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-14-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-15-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-16-0x0000000000890000-0x0000000001471000-memory.dmp

memory/1716-17-0x0000000000890000-0x0000000001471000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 02:16

Reported

2024-07-04 02:19

Platform

win7-20240508-en

Max time kernel

58s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe
PID 1740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe
PID 1740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe
PID 1740 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe
PID 2040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2040 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 272 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe
PID 272 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe
PID 272 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe
PID 272 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe
PID 272 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe
PID 272 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe
PID 272 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe
PID 272 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe
PID 1812 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1812 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1812 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1812 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 2592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 2592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 2592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2004 wrote to memory of 888 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe

"C:\Users\Admin\AppData\Local\Temp\ff5c8360c9f87054525970c5aeb707cc177291904206b5c18b09e0e6e2ce7420.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCBGCGHDGI.exe"

C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe

"C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe"

C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7009758,0x7fef7009768,0x7fef7009778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1692 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1456 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1368,i,18208845718704790217,1891036105424558642,131072 /prefetch:8

Network

Country Destination Domain Proto
RU 85.28.47.4:80 85.28.47.4 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.4:80 85.28.47.4 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 216.58.212.206:443 consent.youtube.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp

Files

memory/1932-0-0x0000000000CA0000-0x0000000001881000-memory.dmp

memory/1932-1-0x0000000000CA0000-0x0000000001881000-memory.dmp

memory/1932-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1932-66-0x0000000000CA0000-0x0000000001881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAEGIIECGH.exe

MD5 6c4ea5959222315f89ec2a4c31a79b42
SHA1 b0e03f4bb8f6cd1e0d35abe12e6a38f500b61c08
SHA256 03a7ad5cb5baeb292c5a521a57912ebe7f5541e0f18a9c77664d861bea822f39
SHA512 32697372fdde9adb6994838ff81d00b8e02d0e26ffb2feb8eaf366180bad7b7e0a22c8e92284680733ef1015b437144694793cdfc7791913b1a6f9771fe67695

memory/2040-101-0x0000000000D50000-0x00000000011FF000-memory.dmp

memory/2040-121-0x0000000000D50000-0x00000000011FF000-memory.dmp

memory/2040-118-0x0000000006D50000-0x00000000071FF000-memory.dmp

memory/272-119-0x00000000003D0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\2b7d4392e9.exe

MD5 1323616c7b4228edd3735c144d4632c2
SHA1 34c45567ebdfcfeeb9d950aa527bf3bac2709a41
SHA256 96a32d13cd84073e06f1b0c27c7daf3192bbce58278fbf5c1270bcae4c0eba37
SHA512 d023ba0ec57b3a80fdba972c259b60f4f3779a0d9692317e3e009507b8adf9bb66b63aa09214677dd8294750d7e8d6250722b5687fcca1e9eb7da16718c6a079

memory/272-138-0x0000000007070000-0x0000000007C69000-memory.dmp

memory/272-141-0x0000000007070000-0x0000000007C69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000007001\eb94bf8338.exe

MD5 08adf93a86b983edaee843e01f85fddb
SHA1 1647634a1bdf17e3944046992f03e52ccbbc9f7c
SHA256 1ef265a69a824b0ad8781771c35265868c58e56264461d74e825ef473c57161e
SHA512 60d37930bf6845cea06eaa3d7a48b97d17ff2b24cc8725814b4aae9ce2de2fd5964e690489b8e9f9126bb57b685191bb922640a4d6c123d9749845075224ae0e

memory/1308-143-0x00000000010E0000-0x0000000001CD9000-memory.dmp

memory/1308-142-0x00000000010E0000-0x0000000001CD9000-memory.dmp

\??\pipe\crashpad_2004_VKUBXOUJOOHCRRMN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/272-229-0x00000000003D0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/272-255-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-256-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-257-0x0000000007070000-0x0000000007C69000-memory.dmp

memory/272-262-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-263-0x00000000003D0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8e310cd439b3404f0b8a62570a2c503c
SHA1 616ebb71d93cc9bdf580bb4653fbd5bf323aa0f6
SHA256 6ced85389fee049b6361e225df9ccc7d016906b6d33a95cce5d4944958de1e19
SHA512 49a62279a60af31deaf31fc931bc977d2d46bfe9f6a3023587a27bda089e2f50594ad47acbf6f17a1be62e82cd739fa270c23633e55ca3a718e23908ab4ad89f

memory/272-271-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-272-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-275-0x00000000003D0000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 762eccf2741bfdb1aa3f08400de0e234
SHA1 1c81885d93fc545a329222e58cdb9bd071d7a4ae
SHA256 41f33dd326fd0d0d9942cc188dd8243797f83db6abb90e168054413b2ddda97c
SHA512 789aac91e3f0af5ce93fdfacaf7606e04cde678884dac7b21c17747a467e02c8231ae272e583cddc43267721b11dd98cff8a09e44085e886236b381a8975b449

memory/272-287-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-288-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-289-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-290-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-291-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-292-0x00000000003D0000-0x000000000087F000-memory.dmp

memory/272-293-0x00000000003D0000-0x000000000087F000-memory.dmp