amadey | b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09/04/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
Size

1.8MB
MD5

2a32676fb29d480f4fa2239fd1150169
SHA1

9d667a64e0435d611535e3ecb942ca29816deb39
SHA256

b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700
SHA512

7541203406640d75134372b6bcfad9a3d95a8a020ebf3cf09325136fddfbf6b7745ba34398a72647989d0d6af48551b2ba37eef1d5cc31f44bf25c25b9e58c62
SSDEEP

24576:2UKn1+ElUjHXTGNrtkx4/hqS12jZ2uWeWKa67X6gkA/ghWtOASJKGUFLYx21zQ05:580E63i/I4/hZWEiWc6WcWtNYUlYAhQ

Score

10^/10

amadey risepro evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8453ce499f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
32	2180	rundll32.exe
36	4952	rundll32.exe
41	2620	rundll32.exe
42	2180	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8453ce499f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8453ce499f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 8 IoCs

pid	Process
2272	explorha.exe
4232	8453ce499f.exe
1508	explorha.exe
4532	amert.exe
2668	3fecde4431.exe
4728	explorgu.exe
4912	explorha.exe
4900	explorha.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	8453ce499f.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	amert.exe

Loads dropped DLL 6 IoCs

pid	Process
1540	rundll32.exe
2180	rundll32.exe
4952	rundll32.exe
4864	rundll32.exe
2620	rundll32.exe
2180	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000025c95-126.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
2272	explorha.exe
4232	8453ce499f.exe
4532	amert.exe
1508	explorha.exe
4728	explorgu.exe
4912	explorha.exe
4900	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 1508	2272	explorha.exe	82

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571363108933373"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
2272	explorha.exe
2272	explorha.exe
4232	8453ce499f.exe
4232	8453ce499f.exe
4532	amert.exe
4532	amert.exe
1508	explorha.exe
1508	explorha.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
1276	chrome.exe
1276	chrome.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
1936	powershell.exe
1936	powershell.exe
1936	powershell.exe
4728	explorgu.exe
4728	explorgu.exe
4912	explorha.exe
4912	explorha.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
4900	explorha.exe
4900	explorha.exe
1044	chrome.exe
1044	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
2668	3fecde4431.exe
1276	chrome.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
1276	chrome.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2668	3fecde4431.exe
2668	3fecde4431.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe
2668	3fecde4431.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2272	4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe	80
PID 4972 wrote to memory of 2272	4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe	80
PID 4972 wrote to memory of 2272	4972	b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe	80
PID 2272 wrote to memory of 4232	2272	explorha.exe	81
PID 2272 wrote to memory of 4232	2272	explorha.exe	81
PID 2272 wrote to memory of 4232	2272	explorha.exe	81
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 1508	2272	explorha.exe	82
PID 2272 wrote to memory of 4532	2272	explorha.exe	83
PID 2272 wrote to memory of 4532	2272	explorha.exe	83
PID 2272 wrote to memory of 4532	2272	explorha.exe	83
PID 2272 wrote to memory of 1540	2272	explorha.exe	84
PID 2272 wrote to memory of 1540	2272	explorha.exe	84
PID 2272 wrote to memory of 1540	2272	explorha.exe	84
PID 1540 wrote to memory of 2180	1540	rundll32.exe	85
PID 1540 wrote to memory of 2180	1540	rundll32.exe	85
PID 2180 wrote to memory of 4032	2180	rundll32.exe	86
PID 2180 wrote to memory of 4032	2180	rundll32.exe	86
PID 2272 wrote to memory of 2668	2272	explorha.exe	88
PID 2272 wrote to memory of 2668	2272	explorha.exe	88
PID 2272 wrote to memory of 2668	2272	explorha.exe	88
PID 2668 wrote to memory of 1276	2668	3fecde4431.exe	89
PID 2668 wrote to memory of 1276	2668	3fecde4431.exe	89
PID 1276 wrote to memory of 4620	1276	chrome.exe	92
PID 1276 wrote to memory of 4620	1276	chrome.exe	92
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94
PID 1276 wrote to memory of 4984	1276	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe
"C:\Users\Admin\AppData\Local\Temp\b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\1000042001\8453ce499f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\8453ce499f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
- - C:\Users\Admin\AppData\Local\Temp\1000051001\3fecde4431.exe
    "C:\Users\Admin\AppData\Local\Temp\1000051001\3fecde4431.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff03be9758,0x7fff03be9768,0x7fff03be9778
        5⤵
        
        PID:4620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:2
        5⤵
        
        PID:4984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:8
        5⤵
        
        PID:3352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:8
        5⤵
        
        PID:2164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2672 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:1
        5⤵
        
        PID:1008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2680 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:1
        5⤵
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3912 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:1
        5⤵
        
        PID:4540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:8
        5⤵
        
        PID:1524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:8
        5⤵
        
        PID:2204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:8
        5⤵
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1820,i,16272923839776094548,14500636314587368699,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4728
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:4864
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2668
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2180

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
dd886ebb547d034a7ccc277f6d1b87a7

SHA1
782afea917222e92fc548d73277d49c9b2f23513

SHA256
79068dc7a564338ef6b02994162777c053e42e46b1dd3bc31a0f0253b2b478a4

SHA512
d1ef8742fd17a2d3a445111983c9c027aca5a2ee9f7f7421d7842ddf286b4112266ad16fa5115f2062bd2b439b63529ced3c112ab20139547618ee5f23f178dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d03df5aae5c9b5d66a6e07fe7f6d0732

SHA1
0506a80fffa45095148e48c4f8f5458e057b6cbc

SHA256
f3b904a94379aa24f6f187f4fc6607db9972012b684e7bd48b8acc878b59e727

SHA512
424be185e82b2231bca2644cf92f5dde33686a1870e121d53b05ae3b28b721f520d9124557dc5131a7047029935790df98662f13614ba5e81596e6ddc47f670a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
1d6da2f21ef73d5b382dc2a143e70cb6

SHA1
768a3d384b315b98578588449b3e7556b1853b90

SHA256
f83bf69c23bf3903ce4d2a85643d644da37c2e84cd26804a15bd0aa3c3443b48

SHA512
a58f7925d4ab5bd66a0b84709782d2f3af7e908aae669c37d26a643b83a9af554f11ea93627a1779893e551d8811f82ac03a06885bc1028ab8965df927aeb9a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a0ea2ab86383f3598a79614b658b72f6

SHA1
9d7b325334bf8c9608f7426076279d958c357264

SHA256
5f876bd89091e5236127395cc1e3ba142856ccce6dafe6afdb4eed39f0c3ff81

SHA512
29a3075a6ce156b54aaeb4a58b3e678d5f97f8cad58191dd8fa12e0ec29beaecef5eed5d40e28edafb5e8108b560a84dd64a6dda5419cd643d263c86e07bc2b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
55f8872039216b56836e93412f455bdb

SHA1
10680a42aad315a7b5fdb91666dd6c974dd5730a

SHA256
90aefba265684fa20a96b8ad2b43871e7b980fee3683d49ac6c8b23c07405565

SHA512
c3407163e93ecf35e601bdbb2f21c8428bd7ee140467f4f2d41109c55ddc1936ec85c40e431e5f8031c04f6cefdd0fe86b05c4c2c6a40ac66d08baf4292cc442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
bf918638d906fae620a9bfcdd18f24c1

SHA1
3542e41fa5ba5bf00c2637b8212f651b6c529e0a

SHA256
98719b262a7024644acafb28060422fa23e7a949a92d3d1bbed782f8994f6b31

SHA512
7305b7b9f748e7f0a746279e8c50950fc020312126a3604542c7af786e97fbfcfab2919133968cb6eb1d5c01e7b05f83d168d24932d82a9321d9e79e7239c7a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
117f100b470fab5df2196c1e8ea80f92

SHA1
06b6130a54c913085c362b41d217e725dc04a9a6

SHA256
96f2e1cab4f3e1048ebdf968222f60230586c576b1194cdfa0c19a510d9ae11c

SHA512
d53f599597da45f64de6426f9349d9713fcd8cbfdc6c25599ca1d280af81d867c338e88d172f3840ef130f62484f559b219fee46f41e955c417d5268bb383eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
2a32676fb29d480f4fa2239fd1150169

SHA1
9d667a64e0435d611535e3ecb942ca29816deb39

SHA256
b7b89484ef2322e2c2d175b5a52324bc01ff74b5a18937fe52f4caafa17ea700

SHA512
7541203406640d75134372b6bcfad9a3d95a8a020ebf3cf09325136fddfbf6b7745ba34398a72647989d0d6af48551b2ba37eef1d5cc31f44bf25c25b9e58c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\8453ce499f.exe

Filesize
2.1MB

MD5
b929da8c9fcb6cb73857a40ddac5aab1

SHA1
b24c4024d3b05f95f784af653603f25210de4354

SHA256
458a716c62104a5a109edcab77c4b7bb25c52ceb1458efa42d3a9b723018c39c

SHA512
8c1cd44820273de254c1e4e2af61429280cabaf50f93c88a3890df6f7db072290febc8366ab8f9b09d592533c51287f90946d72f7131e96cd02137fb7677ab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe

Filesize
1.8MB

MD5
beeee61e8b6cfe13fa2c7d7ce21338a1

SHA1
79c7f39d270fb7fcd54c947940c4183ffe226350

SHA256
d110bf26f41ba5f0cee6407fde0baf3fff62e714e43eec41c805cec168436905

SHA512
5dcee188f325fc1b07cccfaa9ebd92c197e306d2385de35d83794bc5bceed35034acbdccd985af106ebb25a9aa4f46cf4ea1fd25154bf4badb6cee6c8c3f375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000051001\3fecde4431.exe

Filesize
1.1MB

MD5
dd6890ad7fd476d16a355e1417246deb

SHA1
c1d5cb52902b6d17cda89a791b1d0c2e5e6f5620

SHA256
cfd42211d3ca585193e805a9573889ad2364eae5a037c440ee6efbf038b46bae

SHA512
03f4dfebcca08fc90793d0d781e9f70bb25781c6c6474e65e0e8b6badc026c8ceeba3698745eb643d029cfcb39272bbc4b0b6472490513435c83a8779c78a863

Download Submit
C:\Users\Admin\AppData\Local\Temp\472529282816_Desktop.zip

Filesize
177KB

MD5
162e24ec3fbb577eda9f23b75dfbe2cb

SHA1
83dd3e906479c6d5df9ac1ebf2f2a8574755aea0

SHA256
33e3cc1a85b70259525cf973d4aa46ce0017e18bc30ca7659203ca07abcf4fc2

SHA512
4029d53c07314a9a13cdb4314130fbec0c2f8bee7468ea393f8c319fa748790276a59c5207ab415fd74ad7f19ab70efcd41505bf8735dea08e29d926de391d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\RevokeSuspend.docx

Filesize
177KB

MD5
2ea6e12fe63b8f092eed0f0ec089a008

SHA1
8720353532de0b44b34174b92d4c03ba3785b8a0

SHA256
22352fa23947a87d6b7080a824ed3d2ce482d7b64dd8a05db5ea3fdeb2f90a46

SHA512
0d3d63479d45d45bf9001d74db3a0fa7803769e614906a16083cc1b41bbf19760803e809e90ade85d0b5a1cd4baca05d3e555ec6b8cb11e08b12ac46071dd2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_an4b5ghj.nmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
memory/1508-68-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-108-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-159-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1508-164-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/1508-165-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1508-167-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1508-168-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1508-169-0x00000000054C0000-0x00000000054C2000-memory.dmp

Filesize
8KB

Download
memory/1508-166-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/1508-163-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1508-162-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/1508-257-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-62-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-66-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/1508-65-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-161-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1508-158-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1508-99-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-83-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-116-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-86-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-120-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-89-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-88-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-90-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-91-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-92-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-93-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-94-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-134-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-96-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-135-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-100-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-133-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-103-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-104-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-132-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-107-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-131-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-109-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-130-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-121-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-119-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1508-118-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1936-209-0x00007FFF00F60000-0x00007FFF01A22000-memory.dmp

Filesize
10.8MB

Download
memory/1936-219-0x00007FFF00F60000-0x00007FFF01A22000-memory.dmp

Filesize
10.8MB

Download
memory/1936-213-0x000002676BCA0000-0x000002676BCB2000-memory.dmp

Filesize
72KB

Download
memory/1936-214-0x000002676BC80000-0x000002676BC8A000-memory.dmp

Filesize
40KB

Download
memory/1936-211-0x000002676B960000-0x000002676B970000-memory.dmp

Filesize
64KB

Download
memory/1936-210-0x000002676B960000-0x000002676B970000-memory.dmp

Filesize
64KB

Download
memory/1936-208-0x000002676B970000-0x000002676B992000-memory.dmp

Filesize
136KB

Download
memory/2272-268-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-67-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-23-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2272-22-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-85-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-26-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2272-30-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2272-29-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2272-25-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2272-193-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-256-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-24-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2272-28-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2272-275-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-309-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-326-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-361-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-27-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2272-378-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-381-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-384-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/2272-395-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/4232-258-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-274-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-147-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-50-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4232-385-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-51-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4232-382-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-212-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-53-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4232-379-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-52-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4232-362-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-54-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4232-347-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-55-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4232-156-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-310-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-56-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4232-278-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-59-0x0000000005440000-0x0000000005442000-memory.dmp

Filesize
8KB

Download
memory/4232-49-0x0000000000850000-0x0000000000DC7000-memory.dmp

Filesize
5.5MB

Download
memory/4232-57-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4232-58-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4532-87-0x0000000000350000-0x000000000080D000-memory.dmp

Filesize
4.7MB

Download
memory/4532-95-0x0000000000350000-0x000000000080D000-memory.dmp

Filesize
4.7MB

Download
memory/4532-97-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4532-115-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4532-117-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4532-114-0x0000000000350000-0x000000000080D000-memory.dmp

Filesize
4.7MB

Download
memory/4532-101-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4532-105-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4532-106-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4532-102-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4532-98-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4728-380-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-311-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-348-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-386-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-279-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-383-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4728-363-0x0000000000450000-0x000000000090D000-memory.dmp

Filesize
4.7MB

Download
memory/4900-394-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/4912-299-0x0000000000BB0000-0x0000000001043000-memory.dmp

Filesize
4.6MB

Download
memory/4972-1-0x0000000077626000-0x0000000077628000-memory.dmp

Filesize
8KB

Download
memory/4972-9-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4972-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4972-8-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4972-3-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4972-5-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4972-21-0x0000000000970000-0x0000000000E03000-memory.dmp

Filesize
4.6MB

Download
memory/4972-0-0x0000000000970000-0x0000000000E03000-memory.dmp

Filesize
4.6MB

Download
memory/4972-2-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4972-4-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4972-7-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download