Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19dfa4fee0fdea2caf83db8927177db9c71979ea442215b5b0304f5799526fc6.exe

  • Size

    1.9MB

  • MD5

    4ef3813fea580ac8117ec4efe049309c

  • SHA1

    4c3bf23e42a83ba2a095a6e7b64eb51d08c3bd93

  • SHA256

    19dfa4fee0fdea2caf83db8927177db9c71979ea442215b5b0304f5799526fc6

  • SHA512

    8fe8168d2d6989d802d82b2cf7f07a48abb334ff1a1f8c74792d6b81c8b871e1f49c5954914010ea20fe26249fde621ff8faab5634f5836f5e902394eda23a20

  • SSDEEP

    49152:6TlOlNNKTOulSMY9c9U/uF6myyZ4xBlb6THxx:8yKCulfY9r/pHxBlmj

Score
10/10
amadeyriseproevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes
  • install_dir

    09fd851a4f

  • install_file

    explorha.exe

  • strings_key

    443351145ece4966ded809641c77cfa8

  • url_paths

    /Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19dfa4fee0fdea2caf83db8927177db9c71979ea442215b5b0304f5799526fc6.exe
    "C:\Users\Admin\AppData\Local\Temp\19dfa4fee0fdea2caf83db8927177db9c71979ea442215b5b0304f5799526fc6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Users\Admin\AppData\Local\Temp\1000042001\9f0f6b53c4.exe
        "C:\Users\Admin\AppData\Local\Temp\1000042001\9f0f6b53c4.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        PID:2480
      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
        "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
        3⤵
          PID:2408
        • C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
          "C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3580
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba2ea46f8,0x7ffba2ea4708,0x7ffba2ea4718
              5⤵
                PID:3920
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7840346126444363647,17930097123791245425,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
                5⤵
                  PID:2608
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7840346126444363647,17930097123791245425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4452
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
                4⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3096
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffba2ea46f8,0x7ffba2ea4708,0x7ffba2ea4718
                  5⤵
                    PID:3128
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
                    5⤵
                      PID:4128
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4076
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
                      5⤵
                        PID:944
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                        5⤵
                          PID:1732
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                          5⤵
                            PID:1048
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
                            5⤵
                              PID:5340
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
                              5⤵
                                PID:5708
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
                                5⤵
                                  PID:5804
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                                  5⤵
                                    PID:5948
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
                                    5⤵
                                      PID:5636
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                                      5⤵
                                        PID:5372
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
                                        5⤵
                                          PID:5680
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
                                          5⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:4276
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
                                          5⤵
                                            PID:2708
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
                                            5⤵
                                              PID:5936
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
                                              5⤵
                                                PID:5380
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
                                                5⤵
                                                  PID:5228
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
                                                  5⤵
                                                    PID:6100
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
                                                    5⤵
                                                      PID:1280
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,4513753042768665150,232133918671920054,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5396 /prefetch:2
                                                      5⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:3924
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                    4⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3740
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba2ea46f8,0x7ffba2ea4708,0x7ffba2ea4718
                                                      5⤵
                                                        PID:3156
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,672537058746418773,1520612976412770520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
                                                        5⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5660
                                                  • C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
                                                    3⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Drops file in Windows directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:4776
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                    3⤵
                                                    • Loads dropped DLL
                                                    PID:6100
                                                    • C:\Windows\system32\rundll32.exe
                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                      4⤵
                                                      • Blocklisted process makes network request
                                                      • Loads dropped DLL
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5352
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh wlan show profiles
                                                        5⤵
                                                          PID:5460
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
                                                          5⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5480
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                                      3⤵
                                                      • Blocklisted process makes network request
                                                      • Loads dropped DLL
                                                      PID:1300
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:5132
                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                    1⤵
                                                      PID:5332
                                                    • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                      C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
                                                      1⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Identifies Wine through registry keys
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1948
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                        2⤵
                                                        • Loads dropped DLL
                                                        PID:5516
                                                        • C:\Windows\system32\rundll32.exe
                                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
                                                          3⤵
                                                          • Blocklisted process makes network request
                                                          • Loads dropped DLL
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3188
                                                          • C:\Windows\system32\netsh.exe
                                                            netsh wlan show profiles
                                                            4⤵
                                                              PID:4836
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip' -CompressionLevel Optimal
                                                              4⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4864
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                                                          2⤵
                                                          • Blocklisted process makes network request
                                                          • Loads dropped DLL
                                                          PID:216
                                                      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1592
                                                      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                        C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:1916

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                        Filesize

                                                        3KB

                                                        MD5

                                                        fe3aab3ae544a134b68e881b82b70169

                                                        SHA1

                                                        926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

                                                        SHA256

                                                        bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

                                                        SHA512

                                                        3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                        Filesize

                                                        152B

                                                        MD5

                                                        fd7944a4ff1be37517983ffaf5700b11

                                                        SHA1

                                                        c4287796d78e00969af85b7e16a2d04230961240

                                                        SHA256

                                                        b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

                                                        SHA512

                                                        28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                        Filesize

                                                        152B

                                                        MD5

                                                        a774512b00820b61a51258335097b2c9

                                                        SHA1

                                                        38c28d1ea3907a1af6c0443255ab610dd9285095

                                                        SHA256

                                                        01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

                                                        SHA512

                                                        ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                        Filesize

                                                        960B

                                                        MD5

                                                        f6023013ca0baf9b76df1c4f07cb9d34

                                                        SHA1

                                                        e8c0a468ff399e41cca59c14d3357370795dda4e

                                                        SHA256

                                                        8a5580217b91bc08fa26107ecc6250900f7a6c0fe86f72e096e39d542e1f7802

                                                        SHA512

                                                        23de61a9995782ad45df1970f12478d5bd08519e3a4bc7c37cac0d338921fc689c90a50678cbe51a4d36e0badc34a1e8414956bc8c3b22c1cf488dee4689032f

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                        Filesize

                                                        648B

                                                        MD5

                                                        cc3b72afe714f5457f195f114324a86a

                                                        SHA1

                                                        b0a8439ff47525e8c36c262d1372b85239c7c96b

                                                        SHA256

                                                        bce5762aa25ea3e019fd9e6081745ec2c4ae69865e0db68e7d994b561d802616

                                                        SHA512

                                                        0d400abbe8f0c95a2b522a0acf593ca69695d7c34122f98c4620bf0304db26bb32d9d78d35e935027db632c4f3a278714604ef2fa114f374830350ea4e2e9612

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                        Filesize

                                                        2KB

                                                        MD5

                                                        488a2c121b5134ecd2223c127b1ecfeb

                                                        SHA1

                                                        52ff957bb331cc3008aefbcdf247d579ffe14692

                                                        SHA256

                                                        fc05fd5641ec2052f65747c7cabaa90b1698aef68dcaddcb84421275afe1df30

                                                        SHA512

                                                        c1bbf89cf2b4a4442bab53840d911fd937205df2bbc44cc3784b2dfb40ff1043d4f8d55c7c66b4ab87d1ecfbc4ceabffd0c5a4b4601dad3c464af175b996e6d3

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        8bb3b007359a06b1b647de5d5805a6e0

                                                        SHA1

                                                        7cae6b6e859759d1ef4a2a76e4a24c66877f4963

                                                        SHA256

                                                        9730b255796a682af6b04275905486e53c38ba78fe0f53ff66f22500dadc0841

                                                        SHA512

                                                        b33bd7fe0ada48d9d958a449011b4be396c5062a5453c29c4f03b5a5a00be702882d84528848cf72b75a02ccf430a035f7a6f8a601186febcd0060ddcee76716

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        880066c9837aa03957ac2282be75cab5

                                                        SHA1

                                                        ebd1e488a1e22cc2b5697174cb7619eee946b399

                                                        SHA256

                                                        5838b92b119b58e1fff1c3c9a7093b8f7b0cd47dfd33de38cde6151cf44d1fb3

                                                        SHA512

                                                        159f905ff68931d4066e0e496406f2934d972626e0e56d8ed747ec23321b247f28a6ef424cc985ad6cbcce272b67d614e9e2e8eb9a00cba9e39ab9e74a268b25

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        2c65efb80487f09660baf76ead0c84f8

                                                        SHA1

                                                        be53f15522109ee7793ba51c1ee27b35dbd3e7c8

                                                        SHA256

                                                        f63036927d5095328df74dc4ea54165b7cb0785e6b7fc147444780ab7ddb4194

                                                        SHA512

                                                        13c11001c0e741b67be79b926d5fee87d377d4ab1e7d8a5980e5b9714c4854e3e26c3b78dbc8863f7c6bbb607d2081c3b474badabde97e90ea57afd2abdcbf3f

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                        Filesize

                                                        7KB

                                                        MD5

                                                        7ce18c752dbfac93494f6c1cb702c711

                                                        SHA1

                                                        bf3629396436bf4fe073be0b8b9e3043becbb587

                                                        SHA256

                                                        384f6df95513617618d647a3581a44c5c45b5396d961b2a539ab75b713bfbd3f

                                                        SHA512

                                                        262242e6a501451ab5e4deb903bb4a110147aec59cfedfc036a8b3c81a30080c21309adf026d794ac08e9b15e47475d02c1ee524218da8d8b82e639c9d30e2bc

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                        Filesize

                                                        536B

                                                        MD5

                                                        081e6608d95d5c034087fc795dcef8b2

                                                        SHA1

                                                        e8a0cf2cf85a7e8c359bce0c9bbac8dc0385676d

                                                        SHA256

                                                        ac2da1af5bdba41c4aa36e17124a9b5d7d57852c4cbdd48f7c04a8c59e5337b7

                                                        SHA512

                                                        ce8544dfe5806362b6f4673482798d7609fd3967365e691fc8cb8b16d5ccf88fd363665a7057ddafb61b7cc8d1d9d915ff688a057fbf1132322f50042eb0eea2

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                        Filesize

                                                        703B

                                                        MD5

                                                        deb0596f0126e129ccff13d3ebd82a36

                                                        SHA1

                                                        0f8e3bd8a8d17f4f3c31de9de80620bdf2f26669

                                                        SHA256

                                                        e4bbb4d313a014edac3c8b46bd762fa2ff916ca17814ee9abaa1080cdd8761bd

                                                        SHA512

                                                        146daa58d0c6ff490d6e8560e3b31d60d7fb5149298052dc3b9cb75f1ac4baf3404c39b31065a607e91562157845ae10c8d7ecc4ff2b2b20542c68939b232666

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                        Filesize

                                                        536B

                                                        MD5

                                                        cbd379ed6b3c6da6bc10eac5f9ab852a

                                                        SHA1

                                                        e984bdce6dd168054a59ff556d6dcf203cb60098

                                                        SHA256

                                                        ad134aeb5cbfc0a2526ea0284ab65ec46a95d431b2aa53a5a62a0c21381ebb0f

                                                        SHA512

                                                        dd1a66073ff9c647a438236306a4bc0e48dcdd075821335c9f3d2e04208a263f97e38e74d1696dd37c94fb84440714412c586479b2dfb656d1871c86837c6e03

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                        Filesize

                                                        536B

                                                        MD5

                                                        4c3396cfb7229fda7d9b2227a7813afb

                                                        SHA1

                                                        9330803aa3a6c4bb7c85cfd8dacb628034da1d8b

                                                        SHA256

                                                        00ed4d4cc67adade227123c9e9cb8d3d48e500a0c20970e3c170ed9c84a80fe8

                                                        SHA512

                                                        06c9ba83e1817bef4d694495b7e2d0ddcee30a3472a34437365cc30387355f57bc74d4bb603ac0ed29b5cf7de7ee06df9af3aae9b7055c0270b552bb5e72a555

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e86c.TMP
                                                        Filesize

                                                        536B

                                                        MD5

                                                        88012aa22c94ae657c72b017bc01de74

                                                        SHA1

                                                        bf20bc8fedf78c2a8fd39550a5a0f7e29cf22c71

                                                        SHA256

                                                        394cd80e4b0cce1fbdae8c96c31735e22bc53fba045b29f232d7a52c0e3f93e1

                                                        SHA512

                                                        1ed9f83bf59347fb32ed722051dbf4772e70a72e78ea9e92fb0434f19ae9348c78b34e06a1fe545359b70ef0a27deffe77ef38e70d63ff6a6f7d39a6fdc37df0

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                        Filesize

                                                        16B

                                                        MD5

                                                        6752a1d65b201c13b62ea44016eb221f

                                                        SHA1

                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                        SHA256

                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                        SHA512

                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                        Filesize

                                                        11KB

                                                        MD5

                                                        58d0a64f2f8bec4c720883493f72b142

                                                        SHA1

                                                        44b3ab7a30755f41680e98057229829a4a0693e4

                                                        SHA256

                                                        eacc44582ff7dab2b0e8c0652f78fba85ffa5890b188dab46473d6531f1a7490

                                                        SHA512

                                                        9463f41203c470f1bd366c153f2698f9e63abd87275a17e297988c68289651a6750cd34bf4c9e12d95c85c25ed0fa5f96dac659d3c87d62851b69a664444fbf9

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                        Filesize

                                                        8KB

                                                        MD5

                                                        f51d0e95ba99985e093d5811a82bf4ea

                                                        SHA1

                                                        aa27fe13b1b730bf398d445597583b2c6ee640d2

                                                        SHA256

                                                        0f4f9bbeaff0f572c21105eab8034c5500d4a3d3846d0eac2cad1a4ed173980d

                                                        SHA512

                                                        063a3c39872b98465b7f6448020b82ed55c5a16a1cc54c167b772fd53add195779865759aed3e0def370a985b042e7bb3cd3ea90e24dd55b4105025d23f90392

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                        Filesize

                                                        8KB

                                                        MD5

                                                        c640d4b34002a9903579dca3560bc83a

                                                        SHA1

                                                        ad60500098f808fcc7bc4c7b660cd64c97ebb6c3

                                                        SHA256

                                                        5345bab74ccbba099e891dccde9a9ec198d9577c1eb851ed6f7d35ae6ed2df2d

                                                        SHA512

                                                        6bfad96c8b3d3716a5c8fd3721a278317af180709ce34914dc3e23e75d6978c92fa44cc211cb932b6891e27fe3dc577ad66cd374df358e2b5cc7017d6f2cf6d1

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                        Filesize

                                                        11KB

                                                        MD5

                                                        09a48f3dce9ed10c35d40c200a89f2bb

                                                        SHA1

                                                        51f69af306a66177dc0e7e27ce8e9bb732f70a75

                                                        SHA256

                                                        79e5cd9d9e788aae34549daae67776ad71fae564dedfbc007377e943c5413a16

                                                        SHA512

                                                        9eb49d18f74d216fe28b169efc94a8c1d10b9b31e2b2d67a33bca0c9e11010800d63773adcd5fadb91b61e4e1b8cd8a79beccbd9af6f6e872785bb2943c7af05

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                        Filesize

                                                        1KB

                                                        MD5

                                                        e123847cc8a6dff39db37b86c9421750

                                                        SHA1

                                                        1e5dfbf0ebdc6c9e2b261bbccabc5375a40142a7

                                                        SHA256

                                                        f09907e5bb81b44bc743a6cd628f940d8fd81263384c33453344b0f947f676a6

                                                        SHA512

                                                        39c8884592bc9541ccfa1229306e157e943fd96daed2ebad3ca448c463e7edb2e276f506483ca63f26ddf35a31cee87fe6b97228528579e4d0872a004e80debf

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                        Filesize

                                                        1.9MB

                                                        MD5

                                                        4ef3813fea580ac8117ec4efe049309c

                                                        SHA1

                                                        4c3bf23e42a83ba2a095a6e7b64eb51d08c3bd93

                                                        SHA256

                                                        19dfa4fee0fdea2caf83db8927177db9c71979ea442215b5b0304f5799526fc6

                                                        SHA512

                                                        8fe8168d2d6989d802d82b2cf7f07a48abb334ff1a1f8c74792d6b81c8b871e1f49c5954914010ea20fe26249fde621ff8faab5634f5836f5e902394eda23a20

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\1000042001\9f0f6b53c4.exe
                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        97f1799f768fe4e5bcdc089055dd3edc

                                                        SHA1

                                                        2e4d074c8f9a4cccac695b3d21710656e8b056fb

                                                        SHA256

                                                        8b3e46836cf46b6bf219def9484aa54920da0f5adc14470b745290097f7388d4

                                                        SHA512

                                                        5c07c7aaf8952fcaf293eb104fbe83580a32a7b34e1febfac999533ead94f38e87e038319ad771586a331f49708d38dbbb2b026ecf61333593c70dea00e6562b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
                                                        Filesize

                                                        894KB

                                                        MD5

                                                        2f8912af892c160c1c24c9f38a60c1ab

                                                        SHA1

                                                        d2deae508e262444a8f15c29ebcc7ebbe08a3fdb

                                                        SHA256

                                                        59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308

                                                        SHA512

                                                        0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        0193ae529e1b5a9af6c9e0a9764e7c0f

                                                        SHA1

                                                        4db7d28f2b787386c3f60cc3d646d25553311ae3

                                                        SHA256

                                                        bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e

                                                        SHA512

                                                        355f310885fc61f433244bdd11b65d534891e77daffb2fe4005f59f619ce564615b8959e2a99049d849dd07dfccdeba07889d839344788e5dfbc58f9b738b5c7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\570491262506_Desktop.zip
                                                        Filesize

                                                        106KB

                                                        MD5

                                                        30206d67bea947b4d8ad0f527b8e1463

                                                        SHA1

                                                        b32ccdbcfde75701f2d108e124c33ea2273fb870

                                                        SHA256

                                                        ef8fb90999cacbf06927294d3d1f95137e2abf0cf86ea6b395c5b425382ca787

                                                        SHA512

                                                        5c53f69a7ca9debe3a465a87442e435741b6c9a9be06f77187d14f49973837d0c8f2ec01c3fd0e509f2ccc2bbae9fe8a46f132bfe99755abd3e63c15c025aa68

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\_Files_\UnpublishRemove.xlsx
                                                        Filesize

                                                        106KB

                                                        MD5

                                                        0046494ef2911ae619fa2a8b3ed684f7

                                                        SHA1

                                                        60dd5a76c967f0df8fffc1891fa78dde10d61d83

                                                        SHA256

                                                        40c8202518ac42db7dc8dc87beb57c9a368eed7244efcae4150c2f6bc98d6c56

                                                        SHA512

                                                        fdf152ed981a555d4aac9425a4a1c3f9726dc68bf5ab0a90d99c63c29daa2d7171806213fb54bc6e99ef5eaa57fd6710d45df5e8087ee27f5fa97256c17aa929

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qohohmu.dki.ps1
                                                        Filesize

                                                        60B

                                                        MD5

                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                        SHA1

                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                        SHA256

                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                        SHA512

                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                                                        Filesize

                                                        109KB

                                                        MD5

                                                        2afdbe3b99a4736083066a13e4b5d11a

                                                        SHA1

                                                        4d4856cf02b3123ac16e63d4a448cdbcb1633546

                                                        SHA256

                                                        8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

                                                        SHA512

                                                        d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                                                        Filesize

                                                        1.2MB

                                                        MD5

                                                        92fbdfccf6a63acef2743631d16652a7

                                                        SHA1

                                                        971968b1378dd89d59d7f84bf92f16fc68664506

                                                        SHA256

                                                        b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

                                                        SHA512

                                                        b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
                                                        Filesize

                                                        109KB

                                                        MD5

                                                        726cd06231883a159ec1ce28dd538699

                                                        SHA1

                                                        404897e6a133d255ad5a9c26ac6414d7134285a2

                                                        SHA256

                                                        12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

                                                        SHA512

                                                        9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
                                                        Filesize

                                                        1.2MB

                                                        MD5

                                                        15a42d3e4579da615a384c717ab2109b

                                                        SHA1

                                                        22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

                                                        SHA256

                                                        3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

                                                        SHA512

                                                        1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

                                                        Download Submit

                                                      • \??\pipe\LOCAL\crashpad_1092_TMRLZZEYIGYRIMBB
                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                        Download Submit

                                                      • memory/1592-450-0x0000000005270000-0x0000000005271000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-451-0x0000000005280000-0x0000000005281000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-449-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/1592-452-0x0000000005260000-0x0000000005261000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-428-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/1592-453-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-454-0x0000000005240000-0x0000000005241000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-455-0x0000000005250000-0x0000000005251000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1592-467-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/1592-456-0x00000000052A0000-0x00000000052A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1916-616-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/1948-556-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-466-0x0000000004E50000-0x0000000004E51000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-463-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-461-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-464-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-465-0x0000000004E20000-0x0000000004E21000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-460-0x0000000004E00000-0x0000000004E01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-459-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-457-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-462-0x0000000004E30000-0x0000000004E31000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-468-0x0000000004E40000-0x0000000004E41000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1948-475-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-510-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-559-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-569-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-588-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-628-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-430-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/1948-642-0x00000000001C0000-0x0000000000678000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/2284-8-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-6-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-0-0x00000000001C0000-0x0000000000698000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/2284-21-0x00000000001C0000-0x0000000000698000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/2284-1-0x0000000076ED4000-0x0000000076ED6000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/2284-9-0x0000000004D40000-0x0000000004D41000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-7-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-5-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-2-0x00000000001C0000-0x0000000000698000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/2284-4-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2284-3-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2480-421-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-425-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-627-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-586-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-560-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-557-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-554-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-405-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-280-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-641-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-50-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-491-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-51-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-383-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-382-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-371-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/2480-469-0x0000000000840000-0x0000000000C10000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                        Download

                                                      • memory/4512-474-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-626-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-27-0x0000000005470000-0x0000000005471000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-643-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-26-0x0000000005430000-0x0000000005431000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-179-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-393-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-23-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-31-0x0000000005490000-0x0000000005491000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-631-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-147-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-458-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-411-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-29-0x0000000005420000-0x0000000005421000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-422-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-370-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-24-0x0000000005440000-0x0000000005441000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-568-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-528-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-30-0x00000000054A0000-0x00000000054A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-25-0x0000000005450000-0x0000000005451000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-22-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-28-0x0000000005410000-0x0000000005411000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4512-555-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4512-558-0x0000000000D50000-0x0000000001228000-memory.dmp

                                                        Filesize

                                                        4.8MB

                                                        Download

                                                      • memory/4776-148-0x00000000054B0000-0x00000000054B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-153-0x0000000005490000-0x0000000005491000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-152-0x00000000054A0000-0x00000000054A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-187-0x0000000000AD0000-0x0000000000F88000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/4776-181-0x0000000005500000-0x0000000005501000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-151-0x0000000005480000-0x0000000005481000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-125-0x0000000000AD0000-0x0000000000F88000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/4776-150-0x00000000054F0000-0x00000000054F1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-180-0x0000000005510000-0x0000000005511000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-161-0x0000000000AD0000-0x0000000000F88000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                        Download

                                                      • memory/4776-149-0x00000000054C0000-0x00000000054C1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4776-154-0x00000000054E0000-0x00000000054E1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4864-501-0x00007FFB9FD10000-0x00007FFBA07D1000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                        Download

                                                      • memory/5480-292-0x000001D674240000-0x000001D674250000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/5480-293-0x000001D674240000-0x000001D674250000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/5480-291-0x00007FFB9FC50000-0x00007FFBA0711000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                        Download

                                                      • memory/5480-299-0x000001D6747C0000-0x000001D6747D2000-memory.dmp

                                                        Filesize

                                                        72KB

                                                        Download

                                                      • memory/5480-281-0x000001D674180000-0x000001D6741A2000-memory.dmp

                                                        Filesize

                                                        136KB

                                                        Download

                                                      • memory/5480-300-0x000001D674230000-0x000001D67423A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                        Download

                                                      • memory/5480-314-0x00007FFB9FC50000-0x00007FFBA0711000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                        Download