amadey | 36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
Size

3.1MB
MD5

b99051ab3db5ededaf140da0e1b2f96b
SHA1

97d9dff4f289cc5f348064d6b2232d857aa31696
SHA256

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2
SHA512

a07ba2d8842e03361b7d0a86342bab8954706fe93f83234a9838e1c6e9eeb8c2457199f99b6fc39bf2ac151bea0b4b31efa7736cbbed5dc9935b21a85a43df0d
SSDEEP

49152:t651sr5tj5R7Tm+kZ4J4VQHIuvCwykHdnXoyxBnBTrbldmujuM:k51s37TmEzxlr/uM

Score

10^/10

amadey risepro xehook evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.93:58709

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

xehook

https://unotree.ru/

https://aiwhcpoaw.ru/

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xehook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3864-366-0x0000000000400000-0x000000000041C000-memory.dmp	family_xehook

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exeexplorha.exe64b190cfa2.exeexplorha.exeamert.exechrosha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64b190cfa2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

31 3564 rundll32.exe
32 3188 rundll32.exe
Downloads MZ/PE file

flow	pid	process
31	3564	rundll32.exe
32	3188	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exeamert.exechrosha.exeexplorha.exeexplorha.exeexplorha.exe64b190cfa2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64b190cfa2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64b190cfa2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 9 IoCs

Processes:

explorha.exec7fdb0dc3c.exeexplorha.exe64b190cfa2.exeexplorha.exeamert.exechrosha.exeexplorha.exedirtquire.exe

pid	process
5080	explorha.exe
1816	c7fdb0dc3c.exe
3560	explorha.exe
1164	64b190cfa2.exe
4504	explorha.exe
3872	amert.exe
3232	chrosha.exe
3680	explorha.exe
1656	dirtquire.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exeexplorha.exe64b190cfa2.exeexplorha.exeamert.exechrosha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	64b190cfa2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorha.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4024 rundll32.exe
3564 rundll32.exe
3188 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4024	rundll32.exe
3564	rundll32.exe
3188	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\c7fdb0dc3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\c7fdb0dc3c.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\64b190cfa2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\64b190cfa2.exe"	explorha.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ip-api.com

flow	ioc
44	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\c7fdb0dc3c.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exeexplorha.exe64b190cfa2.exeexplorha.exeamert.exechrosha.exeexplorha.exe

pid	process
2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
5080	explorha.exe
3560	explorha.exe
1164	64b190cfa2.exe
4504	explorha.exe
3872	amert.exe
3232	chrosha.exe
3680	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dirtquire.exe

description pid process target process

PID 1656 set thread context of 3864 1656 dirtquire.exe RegAsm.exe

description	pid	process	target process
PID 1656 set thread context of 3864	1656	dirtquire.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581224455394598"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{73BEACFC-8616-4A38-910D-22A7043C7FE1}	chrome.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exechrome.exeexplorha.exerundll32.exepowershell.exe64b190cfa2.exeexplorha.exeamert.exechrome.exechrosha.exeexplorha.exeRegAsm.exe

pid	process
2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
5080	explorha.exe
5080	explorha.exe
4184	chrome.exe
4184	chrome.exe
3560	explorha.exe
3560	explorha.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
1164	64b190cfa2.exe
1164	64b190cfa2.exe
4504	explorha.exe
4504	explorha.exe
3872	amert.exe
3872	amert.exe
2912	chrome.exe
2912	chrome.exe
3232	chrosha.exe
3232	chrosha.exe
3680	explorha.exe
3680	explorha.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe
3864	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4184 chrome.exe
4184 chrome.exe
4184 chrome.exe
4184 chrome.exe

pid	process
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe
Token: SeCreatePagefilePrivilege	4184	chrome.exe
Token: SeShutdownPrivilege	4184	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exec7fdb0dc3c.exechrome.exe

pid	process
2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
1816	c7fdb0dc3c.exe
4184	chrome.exe
1816	c7fdb0dc3c.exe
4184	chrome.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

c7fdb0dc3c.exechrome.exe

pid	process
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
4184	chrome.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe
1816	c7fdb0dc3c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exeexplorha.exec7fdb0dc3c.exechrome.exe

description	pid	process	target process
PID 2208 wrote to memory of 5080	2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe	explorha.exe
PID 2208 wrote to memory of 5080	2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe	explorha.exe
PID 2208 wrote to memory of 5080	2208	36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe	explorha.exe
PID 5080 wrote to memory of 1816	5080	explorha.exe	c7fdb0dc3c.exe
PID 5080 wrote to memory of 1816	5080	explorha.exe	c7fdb0dc3c.exe
PID 5080 wrote to memory of 1816	5080	explorha.exe	c7fdb0dc3c.exe
PID 1816 wrote to memory of 4184	1816	c7fdb0dc3c.exe	chrome.exe
PID 1816 wrote to memory of 4184	1816	c7fdb0dc3c.exe	chrome.exe
PID 4184 wrote to memory of 4748	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 4748	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 1640	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2188	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2188	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe
PID 4184 wrote to memory of 2072	4184	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe
"C:\Users\Admin\AppData\Local\Temp\36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\1000055001\c7fdb0dc3c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\c7fdb0dc3c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaecb0ab58,0x7ffaecb0ab68,0x7ffaecb0ab78
        5⤵
        
        PID:4748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:2
        5⤵
        
        PID:1640
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:2188
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:2072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:1
        5⤵
        
        PID:1764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:1
        5⤵
        
        PID:2768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:1
        5⤵
        
        PID:3868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3360 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:1
        5⤵
        
        PID:2532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4356 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:4616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:3524
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:1716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:1428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:8
        5⤵
        
        PID:3384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4744 --field-trial-handle=1812,i,8442736433090428311,3595235375052821262,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4024
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3564
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\263309122282_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\1000056001\64b190cfa2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\64b190cfa2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:432
- - C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3232
- C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe
  "C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3864

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
14a360367d3153c10d790a159dded55e

SHA1
0ef9d34f483650fe5d245a81c00abf1a8a63d8f5

SHA256
5abbcddce082d9059f87eaa931de18f5d961d2119c3451874861e97868354de0

SHA512
97d726e4edc46b124f3b74f4c62eb8ed63e7ee6ed566797e3db9c92a23215d04c2746578636641fcbfe2eb3ebbf4c86794a3459318c2f42e1a2ad0d439831601

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
b4c1148fdb6d4cf3b3fc899e8b68cefc

SHA1
a96441ab1529b38b586801f3734c54867f9ea13a

SHA256
70a0cd3cf294666891c6d208daa0f227c516831d5e385a5e536bf6896723a5f1

SHA512
ad0b802588bb145e4da3c4810c0087cba42ab80932f0db6f1d26c1b60c020483827cbb42bf459999123a3f3d6cb6d5d961b3377e0e3074cff852e344ef71dce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d0a2c1f301a7039641d7878fa017deb9

SHA1
45e0742d96cb98148fd722f3f3468465f5077ff7

SHA256
87c1cae64964e1a1cbb7b630a36581f0477e8284872c415d87131a112fc7368c

SHA512
4ae77edf9617c3ae0f326e325945236fcab0eba2b4bb3fabb5c37d4e90c41bb921c20af3e18f93f61ac980ddcf3b3d9d375b0951d5f9dd2788b487dd6c5143b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1dd64795183f0c4ad22f42c389838b9d

SHA1
ab4fe0334a71c27b19fc78ed0ed09bfdca3cac32

SHA256
5b029179d4665c9fa5f55ebf98129f6ba4b1fe1cb1a49caf758f6ad435d0ba8f

SHA512
542dfe0d7d24be58cedc0019fd170904ada36c35de1f6e52b9ddf152c68041a251f5119529bc9db24ce9e1562218573f717374b8a7f4733e4f41a94cd8bdb17e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
54c2a00e9348bd86a901769bf6650a36

SHA1
99482a1108aea11b07ed5216ffc05fedc47da64b

SHA256
75069012030fe2e9b33ebfb434e7cc32d3941150648234d366cad17b76c76d07

SHA512
10b00d635bf50b46b8705be1bc78f2c9bb1ed8a2966cddd432546a235eceba005a0ef33caccefcf48a575213bb1adfb1c803631ece1b1e0c10cd7a35f025368a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
3158b9e0a3c494814eef6deeb418dad0

SHA1
ad14fedcd5d7ed60c32c6a6ec5b7138189782c8d

SHA256
60c307a35e455607f894510db85116d679a9788367c4c8757870ddc987afd880

SHA512
04e80d8e71e1d432463a421c7258630fddd1ea82d4826d0c74eeabc36d9a3427c8769f27b821e58c91d0c35c524e6dd36cb4e6dc48da839cbad3ee34b6fd0282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0239fca888cd041789de6da371d53742

SHA1
909412c5e532c05fa3dfc7e18ae9871f3ef838ae

SHA256
ac2a989d75fbd4ac78b9e4bc2bad8b0dd58a115476dd8dd35037786b873e7c5d

SHA512
ca00a87961137c33c020beae7d67c3d395aa4f1103c3bd59675dc7785245d16e38eef786e14c9abbb04317731373d12ac860b04b54e3f06023ed30e0cd257032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
44e4e53b6e899f20d581686901067aca

SHA1
3ea1dd173f1ae9b3df48d3a8ae7e34394ced3942

SHA256
30cd7775da0155d2c26cf0f8298b0716ae34ca2081a52496f6229032f50979aa

SHA512
0c0cf92ab3c0c9ca93d0be6369b9fe18c132e5dacdce03615ee368d8ae83f81e97fd8608b0c215410a34c69e6dc59c8807eaae893d9916c2ce04ff7ba400818d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b0edd2301bc9b6269a7fc38278f171b0

SHA1
6b561b183783a12b14984ea222fef4536a7b575c

SHA256
4f3141d47216593c545d534f2f509fd05f9a455b1f6dc7350ebfebbb4f506321

SHA512
7b8a35ab31a29836ee3906b6c7a07085f878043f278d0718a6ee5b6da5ee6bb75514bcc338264c0694452b8ce3c383d6ecd3880f3513f14f75abc8dc3d8425fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
3.1MB

MD5
b99051ab3db5ededaf140da0e1b2f96b

SHA1
97d9dff4f289cc5f348064d6b2232d857aa31696

SHA256
36805905b5892631d472424f04b44d6708e3f3d05a59212713c785dcb8db0ba2

SHA512
a07ba2d8842e03361b7d0a86342bab8954706fe93f83234a9838e1c6e9eeb8c2457199f99b6fc39bf2ac151bea0b4b31efa7736cbbed5dc9935b21a85a43df0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\c7fdb0dc3c.exe

Filesize
1.1MB

MD5
86c89b35f1a98a835898997c85fe512b

SHA1
361bcd16dcd2c5e3e9825084973fac56078139b2

SHA256
b1399d79f17926760301dfc4409dc6dcf2fe7b405af3bfad7bde2a5245424962

SHA512
65f7f834a5ea1573a62800e2935416c85b4b0b4151e9d0086d064cbcb4a0152d53e36a64cc1c4aebfe5c16cbd89949f1f359caef737d5e8a572133c5b2086511

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\64b190cfa2.exe

Filesize
2.2MB

MD5
4b0d0c94d11cb1566e4139e3a8897af9

SHA1
e627fe1a11f5489b5c64f3102158f673a5c9f55b

SHA256
71aedc9866a19f8b4b24245196ca0eebf4aed41bfe6fe8d84dbe6ebcbfe0e7eb

SHA512
7eb1b84591a7eb9cb31b36cbdcb9a7a8d361025aa4338fb5d573b969592f7b2c9bb33f3794ab34f992e232eac6c10c2e92d8b8cc3e16c1e5955f6b7fdcb2f455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe

Filesize
1.8MB

MD5
3996a3a682941cc65cc868d457d62d34

SHA1
574ccd8f67a879a98b13a64aded9e5628e3572fe

SHA256
205010ffb506d61705281f0a41608f15759700d2d39de55a27248ac13d270025

SHA512
9900ae8a799cf76cfc67536659efeec99c772212d5e91f1663c0a2c5211430c42141b6886f62e4f85cf76d11634f8c6a0421f47c1be1c4960a7391e9c1428f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe

Filesize
273KB

MD5
e795115169cc800de0392d6a675d58fd

SHA1
8dd75837e360ba1cb8acf5a3d348dd020a5da482

SHA256
17f929c1d40a7fd6f897c0b15ca9c44b2059cbccb3037c31619d87954659478e

SHA512
5fb6543e91de175bd365462a1cc87d6772e43b0effd3757b3e408b08a4de5a004de9a85e7f1d09578fa3bc6b6486c5f5016c1b879496582dbb39b2e62e168f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_az5zjguh.0xu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\crashpad_4184_KRPTVNRCQFEAJZGF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1164-220-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/1164-218-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1164-320-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-285-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-212-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-274-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-214-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/1164-213-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/1164-215-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1164-216-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1164-236-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-235-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-224-0x0000000005230000-0x0000000005232000-memory.dmp

Filesize
8KB

Download
memory/1164-223-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1164-222-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1164-217-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1164-339-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-242-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-238-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-221-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/1164-318-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/1164-219-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1164-301-0x0000000000730000-0x0000000000CCB000-memory.dmp

Filesize
5.6MB

Download
memory/2208-3-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2208-4-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2208-9-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x0000000000260000-0x0000000000578000-memory.dmp

Filesize
3.1MB

Download
memory/2208-7-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2208-21-0x0000000000260000-0x0000000000578000-memory.dmp

Filesize
3.1MB

Download
memory/2208-2-0x0000000000260000-0x0000000000578000-memory.dmp

Filesize
3.1MB

Download
memory/2208-1-0x00000000779D6000-0x00000000779D8000-memory.dmp

Filesize
8KB

Download
memory/2208-6-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3560-90-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3560-106-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/3560-82-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/3560-87-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/3560-91-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3560-92-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3560-96-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3560-97-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/3560-94-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3680-349-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/3864-366-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3872-308-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3872-303-0x0000000000280000-0x0000000000738000-memory.dmp

Filesize
4.7MB

Download
memory/3872-316-0x0000000000280000-0x0000000000738000-memory.dmp

Filesize
4.7MB

Download
memory/3872-304-0x0000000000280000-0x0000000000738000-memory.dmp

Filesize
4.7MB

Download
memory/3872-305-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3872-307-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3872-309-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3872-306-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4504-251-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4504-245-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4504-243-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/4504-244-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/4504-252-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/4504-250-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4504-249-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4504-248-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4504-247-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4504-246-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4536-166-0x00007FFAD8920000-0x00007FFAD93E2000-memory.dmp

Filesize
10.8MB

Download
memory/4536-168-0x000002655BE60000-0x000002655BE70000-memory.dmp

Filesize
64KB

Download
memory/4536-170-0x000002655C470000-0x000002655C47A000-memory.dmp

Filesize
40KB

Download
memory/4536-176-0x00007FFAD8920000-0x00007FFAD93E2000-memory.dmp

Filesize
10.8MB

Download
memory/4536-169-0x00000265746F0000-0x0000026574702000-memory.dmp

Filesize
72KB

Download
memory/4536-165-0x000002655C3F0000-0x000002655C412000-memory.dmp

Filesize
136KB

Download
memory/4536-167-0x000002655BE60000-0x000002655BE70000-memory.dmp

Filesize
64KB

Download
memory/5080-286-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-74-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-29-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/5080-23-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-240-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-30-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-237-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-193-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-284-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-41-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-234-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-135-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-317-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-24-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/5080-319-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-25-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/5080-328-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-26-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/5080-273-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-27-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/5080-177-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download
memory/5080-28-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/5080-22-0x0000000000F00000-0x0000000001218000-memory.dmp

Filesize
3.1MB

Download