amadey | 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20

Analysis

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
Size

1.9MB
MD5

bf765192fb7e18bf2c9025248d43906b
SHA1

1083b78af5811beedf7d4e0f8c7dcb742c531b83
SHA256

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20
SHA512

85bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39
SSDEEP

49152:jIS2DUkA/ZCcWeLrfU671Jc4BvvXoCR3BbAbmlM5:PkaZdWeLLj7jcsJAbF

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exe88fae3b48d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	88fae3b48d.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

44 2004 rundll32.exe
48 1488 rundll32.exe
Downloads MZ/PE file

flow	pid	process
44	2004	rundll32.exe
48	1488	rundll32.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88fae3b48d.exeamert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	88fae3b48d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	88fae3b48d.exe

Executes dropped EXE 4 IoCs

Processes:

explorha.exe88fae3b48d.exego.exeamert.exe

pid process

4004 explorha.exe
3180 88fae3b48d.exe
1660 go.exe
4328 amert.exe

pid	process
4004	explorha.exe
3180	88fae3b48d.exe
1660	go.exe
4328	amert.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exe88fae3b48d.exeamert.exe01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	88fae3b48d.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Wine	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1208 rundll32.exe
2004 rundll32.exe
1488 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1208	rundll32.exe
2004	rundll32.exe
1488	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\88fae3b48d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\88fae3b48d.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exeamert.exe

pid process

1444 01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
4004 explorha.exe
4328 amert.exe

Drops file in Windows directory 2 IoCs

Processes:

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1444	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
1444	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
4004	explorha.exe
4004	explorha.exe
4576	msedge.exe
4576	msedge.exe
3556	msedge.exe
3556	msedge.exe
948	msedge.exe
948	msedge.exe
3164	msedge.exe
3164	msedge.exe
4328	amert.exe
4328	amert.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
4416	identity_helper.exe
4416	identity_helper.exe
4356	msedge.exe
4356	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe
2824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid process

948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
948 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5100 powershell.exe

pid	process
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

description	pid	process
Token: SeDebugPrivilege	5100	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

go.exemsedge.exe

pid	process
1660	go.exe
1660	go.exe
1660	go.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

go.exemsedge.exe

pid	process
1660	go.exe
1660	go.exe
1660	go.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1444 wrote to memory of 4004	1444	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe	explorha.exe
PID 1444 wrote to memory of 4004	1444	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe	explorha.exe
PID 1444 wrote to memory of 4004	1444	01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe	explorha.exe
PID 4004 wrote to memory of 3180	4004	explorha.exe	88fae3b48d.exe
PID 4004 wrote to memory of 3180	4004	explorha.exe	88fae3b48d.exe
PID 4004 wrote to memory of 3180	4004	explorha.exe	88fae3b48d.exe
PID 4004 wrote to memory of 3592	4004	explorha.exe	explorha.exe
PID 4004 wrote to memory of 3592	4004	explorha.exe	explorha.exe
PID 4004 wrote to memory of 3592	4004	explorha.exe	explorha.exe
PID 4004 wrote to memory of 1660	4004	explorha.exe	go.exe
PID 4004 wrote to memory of 1660	4004	explorha.exe	go.exe
PID 4004 wrote to memory of 1660	4004	explorha.exe	go.exe
PID 1660 wrote to memory of 4264	1660	go.exe	msedge.exe
PID 1660 wrote to memory of 4264	1660	go.exe	msedge.exe
PID 4264 wrote to memory of 1952	4264	msedge.exe	msedge.exe
PID 4264 wrote to memory of 1952	4264	msedge.exe	msedge.exe
PID 1660 wrote to memory of 948	1660	go.exe	msedge.exe
PID 1660 wrote to memory of 948	1660	go.exe	msedge.exe
PID 948 wrote to memory of 1744	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1744	948	msedge.exe	msedge.exe
PID 1660 wrote to memory of 128	1660	go.exe	msedge.exe
PID 1660 wrote to memory of 128	1660	go.exe	msedge.exe
PID 128 wrote to memory of 2412	128	msedge.exe	msedge.exe
PID 128 wrote to memory of 2412	128	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe
PID 948 wrote to memory of 1884	948	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe
"C:\Users\Admin\AppData\Local\Temp\01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\1000042001\88fae3b48d.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\88fae3b48d.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3180

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fffeb3b3cb8,0x7fffeb3b3cc8,0x7fffeb3b3cd8
5⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,13152423241737837009,11693626248572836492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeb3b3cb8,0x7fffeb3b3cc8,0x7fffeb3b3cd8
5⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
5⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
5⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
5⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
5⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
5⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
5⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
5⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
5⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
5⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
5⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
5⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
5⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,16002782319834733168,4011074071987836876,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5236 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffeb3b3cb8,0x7fffeb3b3cc8,0x7fffeb3b3cd8
5⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,7773730604925815983,8068084459429253998,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
5⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,7773730604925815983,8068084459429253998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:1208

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\280069375290_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
960B

MD5
8ddb9f783681e3718ba15f717798f85d

SHA1
dc520766c482ea72b62144a0b6af8cc489614902

SHA256
3903f92c578235b94e1092dc38ccad2625b88b865dd7ee3664cb7774aeaa7b12

SHA512
59cc9398e043669f57ca2adb55d58989858a4c5bae18ed4b67502f04137f42e3986ba0367daa9c0a0648a460fe2a956abfff78e39f8e80f221d1a96928daf090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
9a11681ab9196649f67f171af8972ba9

SHA1
f71df3ac51bad02a2374778ca85c5d4a36f9ee6a

SHA256
e63d4b9a424d2fc8e47fa805be57b44da02f110b3cfe47f8b772add4ecef3a01

SHA512
8792f259a53b708e15d9bec18f197cbaf23e7cc937a9d1e2d4d93c53bd7bfa6417ba8ae4dab2e3d1af8fef62e4f4375d09895a2c0af20e102d12f1825e46e6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
1d99c39a18c1a989e2a42eee3497edbd

SHA1
63622d519da38e7dd0b3e903edc4f02fd77cf717

SHA256
5b7b13763b365d693049b5d0cf7e6418bdf59ca8c47d4a4f759a81aa58ce8c22

SHA512
9cd59b461ebab2b6c336ab1bb2deded6836ab9fd2ba512154c5686e8daddeb7c6b706b8caebe4b54c78ff69e7aeb859b7e608abad7116a5e22afc1b4715e9f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a43d74472659be7bfc4a3f72841f9d00

SHA1
612b806dc62c2f5a08725eb6bfbacf2f18734edc

SHA256
7ccdebfe7feed5f201b9842055e5832d6d796ba394c6b53b8a23206a168aa4ce

SHA512
c7d9e9c8d6b9d1bd0a1eb79f5f85cfb2ff14cd68756cdb28dc95f53861b3a866afa7751802301be249e59acdf32c6af7dde4181514ef2fec4cfafa0863fc9f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
754be4729d73d8ff00770cca5ccb8c03

SHA1
eaacd9e2952f31d12c6c5046dd1ea19dc6ad4bcf

SHA256
9e9306ff4fe1234094a1e769be9a94c117949e2100f3d13e7251fdc9b0d5c9a9

SHA512
2f89779af69f318eca6edc4eb6050e99ad7af0885ec18d93569697607e28641c4d3f7082657e91889dbf1d399a9ae9ea6909507462647ae0dba16b4e5fd821fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
3d4c465a44e71ce15c7a108694221e75

SHA1
7ce5ca25f6245de10b845ec04616fc4da47e038c

SHA256
5558695d828f003509caf0c869da42be448fbab2d7fb43488efdcc7c7cc80d47

SHA512
64236a021816ab5675f0d7848b1df6f5fa13038aeb60953eb20f0e7f793af9aebb63e8043269649f478b39d0c2a794dcf57a0c7b1ae1ac6b6f3302e099b8a194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
a0c5a4fcd04f656854cc8228b9416bd9

SHA1
6736d92e41e5b33467ed5e18877d7fec463df827

SHA256
d671ee17e077a286585daadf12327f598fcea2fa7e68b6daf786bd3c6e442eab

SHA512
1e59c8d542b99ba56f39a241247845251adb7a47a7cd548ef0c4af5cf7ba97e7f4263e03fa32a4564bd94968374d6bfa8f86ce27ac363ced0a1e491172c501f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
7819e61a8b6711128a552b7d53efc5cb

SHA1
c3289df4791bd9c54c79f91a75fc5137f8da5f95

SHA256
8131da3414d8165a486663300a9b04317f383f61b290a84341f8dbd2883806e3

SHA512
3f4b2a485e0f5c4b394e27a7fd35c82068c54064afc54526f3da609e965a44ffb496243c20c43376fc368a4927b97481531f5ab603bfca7ede6e64c2b8241544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
707B

MD5
f850a44f1065a1de1c5ee04374784a0c

SHA1
cd8a08fed37fb0f89ca84b4576f60262814fe7db

SHA256
226c41c647a97debd374198bf44da442180da9b857b8238c1405de317345deea

SHA512
3cb371f76ef4c6a4bff260d31c0700c1f25c825ef55f6135493c351bda97895cd672a7df1f7d9ba9188a1801aeb4413a40bfeca7b370957d614387ebe55be0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e06d.TMP
Filesize
707B

MD5
9a8f68eb5e6b8afa5b3f5fbe0751ff74

SHA1
4081931248167e82964fe1337032941ac24a4b69

SHA256
2029f25960ad5a2610b3b7d7d42f5517462da7a5264cdac506a5e2ee57d25611

SHA512
60ea39ebc6f4c8bfd43dee24bb71789ce9e2b8538224b324a8dcd292fde0d8a21ff199e17e036e00fc12e7eb8f85915a5d93e3b2c9dd16b0f811f7e7c3b3893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
6a1a59e1e948dce8e2d3a51b22517c89

SHA1
a5371ef2b62381e5802920649573bfb33e862c06

SHA256
d15bc3b7293515c481955c02c070e3ff684bdd4f2cb6613f803f749bd213012b

SHA512
e4be964fdb2c68dc319d8a8bd434a85ca1a6e6518918db43e09b243cb2496a5a17dce63e7f3fd083a6933e9e2ecc535883fe690a1fd6b1e3ac3ce9317eb457a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
d4925e0529cbb328aa580ae82dc66712

SHA1
5aaf3832e5a781254290ea246204f6ba3ab4b097

SHA256
0cb3c9a5aa00b63c551d7ccfce07410bd2dcadc7b24c2b1d3768b16dddab0557

SHA512
5d2afbaf8567ade534ea95afdf1eafda788f52445f837425f14227351572d634ae5e34dba87fc038abd5a99ec88220a5bfe823efb962e84ace8964b92f87e337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
55204bda1f6822b78f1ae2d1bbab3c07

SHA1
ba14c1e0dccd0971d98a9f7bd7bbc8d7c1013cc6

SHA256
243e70618c991b3a326a796e3082b4333cfcb4686b12a18c5853ef7af6190035

SHA512
d8bca7ffd901f351e386b78731214c82b56293514c2090a5edcef14e4bf48635eb16b4c353ecb31a7be0947b0531c41a8dd7fcb50b80993245b52e503427db73

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
1.9MB

MD5
bf765192fb7e18bf2c9025248d43906b

SHA1
1083b78af5811beedf7d4e0f8c7dcb742c531b83

SHA256
01283d03302f2edd4960899e0054084b264f59d951ee9f3bf38f7d50d43a8a20

SHA512
85bb10c7045a4b28a07eb1aa9d576910a8849433d29a9c0079e173a3d5eba33b6b4755ef4527b94e83f9229546b638e3871ae2758d08b879959c8998a3e52a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\88fae3b48d.exe
Filesize
3.1MB

MD5
03560350b623d3325d16a46f69be90fc

SHA1
63d3d99dade999f15cfbad22ff040dacd13a8e1b

SHA256
fd6a73027fb19ad5b50bbdd8d6b8dd3a144d1bfd5fe14a1b61d8b95207ea6c0e

SHA512
d102273cff603acc6ce9e865b0d92fb6c2dd33eb7186cece8363eca6244279c1e201466211bb21c46115fb490c126d70b4c56e2fe2ee2d8922c5365606526dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
Filesize
894KB

MD5
2f8912af892c160c1c24c9f38a60c1ab

SHA1
d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

SHA256
59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

SHA512
0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
Filesize
1.8MB

MD5
727c54fa3a9c67f729c897be63eb2ee0

SHA1
c94e05a7dd1573c0df9d2f8e9a2f1e10d0174c23

SHA256
cd91b436df70efb3b0d4cf141d257282ace5d9daa990161b85d46d266514e886

SHA512
ebf23a591fc7a602e9b1983ea54b724bdc455a4ef2e1ab40117f44fae66c5c249d34ec8809798129bdacf1a6c03f8aefde4c1bd8a4b4cea753b1dd267bee196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tf34e4jw.luu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\LOCAL\crashpad_128_SRYVEPFLKSQGRXBW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1444-10-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/1444-0-0x0000000000BB0000-0x000000000108F000-memory.dmp

Filesize
4.9MB

Download
memory/1444-7-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1444-8-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x00000000777A6000-0x00000000777A8000-memory.dmp

Filesize
8KB

Download
memory/1444-4-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1444-21-0x0000000000BB0000-0x000000000108F000-memory.dmp

Filesize
4.9MB

Download
memory/1444-9-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1444-2-0x0000000000BB0000-0x000000000108F000-memory.dmp

Filesize
4.9MB

Download
memory/1444-3-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1444-5-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1444-6-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3180-51-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-52-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-511-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-489-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-485-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-474-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-472-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-470-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-468-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-443-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-436-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-424-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-413-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-411-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-377-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-365-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/3180-330-0x0000000000360000-0x0000000000724000-memory.dmp

Filesize
3.8MB

Download
memory/4004-26-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4004-25-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4004-508-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-23-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-30-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4004-488-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-484-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-32-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4004-29-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4004-366-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-31-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4004-473-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-24-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-28-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4004-471-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-410-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-469-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-412-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-264-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-414-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-27-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4004-467-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-434-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-306-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4004-442-0x0000000000210000-0x00000000006EF000-memory.dmp

Filesize
4.9MB

Download
memory/4328-274-0x0000000000590000-0x0000000000A50000-memory.dmp

Filesize
4.8MB

Download
memory/4328-283-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4328-286-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4328-294-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4328-287-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4328-295-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4328-281-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4328-282-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4328-261-0x0000000000590000-0x0000000000A50000-memory.dmp

Filesize
4.8MB

Download
memory/4328-299-0x0000000000590000-0x0000000000A50000-memory.dmp

Filesize
4.8MB

Download
memory/4328-285-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5100-331-0x0000028E422E0000-0x0000028E422F0000-memory.dmp

Filesize
64KB

Download
memory/5100-328-0x00007FFFD8490000-0x00007FFFD8F52000-memory.dmp

Filesize
10.8MB

Download
memory/5100-329-0x0000028E422E0000-0x0000028E422F0000-memory.dmp

Filesize
64KB

Download
memory/5100-324-0x0000028E42320000-0x0000028E42342000-memory.dmp

Filesize
136KB

Download
memory/5100-340-0x00007FFFD8490000-0x00007FFFD8F52000-memory.dmp

Filesize
10.8MB

Download
memory/5100-333-0x0000028E5A6B0000-0x0000028E5A6C2000-memory.dmp

Filesize
72KB

Download
memory/5100-334-0x0000028E42300000-0x0000028E4230A000-memory.dmp

Filesize
40KB

Download
memory/5100-332-0x0000028E422E0000-0x0000028E422F0000-memory.dmp

Filesize
64KB

Download