amadey | 6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
Size

3.1MB
MD5

3520bfaf56ae8f2fb8d88607788aa34d
SHA1

6cd57cf9fafdafbf54b598687db4b114c26d9fc5
SHA256

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0
SHA512

9d1de9b70b92ed3c674c9d9731eca42faafe9c72db5713487c2bb7340da1ce97438d4b657b0152b30b9e8b6e17a9366c8e0224132b1c25ddcdd34df905d5c3d2
SSDEEP

49152:4Ym4B36AUiCEuJ5rMj5Ti5jwT+BVTiy8+A6XZEeqGUPe:Vm4B8iCEU5rU5Ti5j1BVT/8+A+1LU

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.93:58709

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeamert.exeexplorha.exe6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exe9a97a09e42.exeexplorha.exeexplorha.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9a97a09e42.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

23 396 rundll32.exe
26 5092 rundll32.exe
Downloads MZ/PE file

flow	pid	process
23	396	rundll32.exe
26	5092	rundll32.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorha.exe9a97a09e42.exeamert.exeexplorha.exeexplorha.exeexplorha.exechrosha.exe6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9a97a09e42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9a97a09e42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 10 IoCs

Processes:

explorha.exeef4c143f25.exeexplorha.exe9a97a09e42.exeexplorha.exeexplorha.exerules.exeamert.exechrosha.exeexplorha.exe

pid	process
224	explorha.exe
1904	ef4c143f25.exe
232	explorha.exe
772	9a97a09e42.exe
3096	explorha.exe
4740	explorha.exe
2204	rules.exe
1732	amert.exe
3660	chrosha.exe
3536	explorha.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exeamert.exechrosha.exeexplorha.exe9a97a09e42.exeexplorha.exe6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	9a97a09e42.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	explorha.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4572 rundll32.exe
396 rundll32.exe
5092 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4572	rundll32.exe
396	rundll32.exe
5092	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef4c143f25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\ef4c143f25.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\9a97a09e42.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\9a97a09e42.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\rules.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058001\\rules.exe"	explorha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\ef4c143f25.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exeexplorha.exe9a97a09e42.exeexplorha.exeexplorha.exeamert.exechrosha.exeexplorha.exe

pid	process
1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
224	explorha.exe
232	explorha.exe
772	9a97a09e42.exe
3096	explorha.exe
4740	explorha.exe
1732	amert.exe
3660	chrosha.exe
3536	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorha.exe

description pid process target process

PID 224 set thread context of 3096 224 explorha.exe explorha.exe

description	pid	process	target process
PID 224 set thread context of 3096	224	explorha.exe	explorha.exe

Drops file in Windows directory 2 IoCs

Processes:

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3280 2204 WerFault.exe rules.exe

pid	pid_target	process	target process
3280	2204	WerFault.exe	rules.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581043152947417"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-834482027-582050234-2368284635-1000\{873ADA04-CE80-4A8B-B460-AE1EA8D26EB0}	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exechrome.exerundll32.exepowershell.exeexplorha.exe9a97a09e42.exeexplorha.exeexplorha.exeamert.exechrome.exechrosha.exeexplorha.exe

pid	process
1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
224	explorha.exe
224	explorha.exe
2736	chrome.exe
2736	chrome.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
1124	powershell.exe
1124	powershell.exe
1124	powershell.exe
232	explorha.exe
232	explorha.exe
772	9a97a09e42.exe
772	9a97a09e42.exe
3096	explorha.exe
3096	explorha.exe
4740	explorha.exe
4740	explorha.exe
1732	amert.exe
1732	amert.exe
1124	chrome.exe
1124	chrome.exe
3660	chrosha.exe
3660	chrosha.exe
3536	explorha.exe
3536	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2736 chrome.exe
2736 chrome.exe
2736 chrome.exe
2736 chrome.exe

pid	process
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe
Token: SeCreatePagefilePrivilege	2736	chrome.exe
Token: SeShutdownPrivilege	2736	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeef4c143f25.exechrome.exe

pid	process
1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
1904	ef4c143f25.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
1904	ef4c143f25.exe
2736	chrome.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

ef4c143f25.exechrome.exe

pid	process
1904	ef4c143f25.exe
1904	ef4c143f25.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
1904	ef4c143f25.exe
2736	chrome.exe
2736	chrome.exe
2736	chrome.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe
1904	ef4c143f25.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exeexplorha.exeef4c143f25.exechrome.exe

description	pid	process	target process
PID 1740 wrote to memory of 224	1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe	explorha.exe
PID 1740 wrote to memory of 224	1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe	explorha.exe
PID 1740 wrote to memory of 224	1740	6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe	explorha.exe
PID 224 wrote to memory of 1904	224	explorha.exe	ef4c143f25.exe
PID 224 wrote to memory of 1904	224	explorha.exe	ef4c143f25.exe
PID 224 wrote to memory of 1904	224	explorha.exe	ef4c143f25.exe
PID 1904 wrote to memory of 2736	1904	ef4c143f25.exe	chrome.exe
PID 1904 wrote to memory of 2736	1904	ef4c143f25.exe	chrome.exe
PID 2736 wrote to memory of 1264	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 1264	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2720	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2580	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 2580	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe
PID 2736 wrote to memory of 808	2736	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe
"C:\Users\Admin\AppData\Local\Temp\6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\1000055001\ef4c143f25.exe
"C:\Users\Admin\AppData\Local\Temp\1000055001\ef4c143f25.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8facab58,0x7ffe8facab68,0x7ffe8facab78
5⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:2
5⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:1
5⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:1
5⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:1
5⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3384 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:1
5⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4412 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
- Modifies registry class
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:8
5⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2648 --field-trial-handle=1824,i,12467019200355593694,17670252354527486267,131072 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:4572

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5092

C:\Users\Admin\AppData\Local\Temp\1000056001\9a97a09e42.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\9a97a09e42.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Users\Admin\AppData\Local\Temp\1000058001\rules.exe
"C:\Users\Admin\AppData\Local\Temp\1000058001\rules.exe"
3⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 612
4⤵
- Program crash
PID:3280

C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 2204 -ip 2204
1⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
360B

MD5
1a5cf6c3993d0bba7ce567f02702bce2

SHA1
7dc7de5182277cbfcf1457edc536c9b092b6711f

SHA256
41eae881b96b04f8e497413abe1614320a3beb621561a469c83cb7dd1af78d04

SHA512
863314961b83ffd04cc30678259ce284cef4ceaeea60df649d3e04939db4b5c49ef513a075897afd0e6229d7ad43e678b4c4212b2cb0db37ebfd6ee401ca79d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0406281e0a5f288ac11750d70cc001dd

SHA1
cd53eb9b4b7ac138738cf07a064b8f5d1c545717

SHA256
3bfddb0da8b2820a2d4c8bca880981842ff52d9390f857f6ca675b20c59fc244

SHA512
9400701d72fe835be07bdb29d106b2989f1ed419f0eab0a8846f1c1a9d6faf1338a7fae9b99a738d1e90f51381940d35ee70e059fd32d52dbe51e7bdb5d07905

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
6d23505f232c54e7ecd29e893454ec98

SHA1
cf70e95171b8e98fb3af9f709e9e820da00ed8b2

SHA256
7ebf897bea189536a6faaa95d408fdec51ac576dd57716e17252c28e30370c2d

SHA512
931b8c56970f0760db70f4f916e025515c30b07a8cd6b7c22397710c57e5b000204ad99198086c4e435734c8ae3398e09a606b0654040760ed635c3c7e975169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
cc3d04d9323eaf7746d3681d4e3fe74c

SHA1
e2fab96205eb02abb0321a05f7672aee19873f5a

SHA256
a0d93f5786e1b29715f7fca411f61469b9d62c20072feb91c80488ee997014a6

SHA512
82030b277589da9e46275a2c950e32f52c823c7728c5c4cc667345045641bdb10506a884c4d64e5dac899f8a4c0e593524e3539c40d602c8bb9455f581902773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
175d487a567af51160a5553bd4fe2a6b

SHA1
1ea7acc4f5e7087cddfee13d9797da8e7b783c7a

SHA256
c41a10cf43c4deb39110cb9fea0bcd23c5844c2d020c44c01419f61e738efaa0

SHA512
7f6715063aa74196b9bc5cafd37571941c7cefbabf43f4531daca7214f0cb45efb6f3f3c30748c1ec8ee28eebec757297744aa83243c07c589e00a12d6158eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
e14e5e162f6a4c9fcb5e65c856393bdb

SHA1
9b552cd6377e1c4ac4d5abbf9b8ec1a6cca38e57

SHA256
55a8751a4f55df0c9cd16a817fb28e526c52d34fa0b0be86776aebed8add402e

SHA512
4079362942c39a9015d728449cf10a11d8eed550e3321bf2896037256ee91b2f3c5ed0a4c896acb244b1d940fe701f9f55e46c2a335b42dc61c75e57f7e6aeb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
9868a8f422ebe7c4310427bd08baf08f

SHA1
4930aea562b07dcfc63e12246375eed22161235b

SHA256
912f705ec42361f90b8428581929c688a86b54cf720b02470672a7fd95df43f2

SHA512
01fc4604d4bbd74271216ef5c0378ec78dc3ba9cd43860b90a219345ed7b249fdc39bf1cc0fccd7f464af92971281aee175203e8104451e5587ebe230d0cff81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
5b85a13870587f5ff3de4f6ee6d9d2b0

SHA1
bf0b3a060a5a8573e48731dbc2fd9600c235e3b0

SHA256
372d6e27e31a861e97f7cb6b0e973bdc4e87bcde5c843f4b3c50032bb807d778

SHA512
a72797785dd9d7960e21d884512d6094e62c0b5fbb984ab2dc3952b3cb2aaa7b0167e93e4e22b930cfcae52d1a54e2228192718241de00c4b36745ea83f4d9df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
252KB

MD5
a7d67bf9fbb0c92e2d48337da5e960ad

SHA1
65387f0e3f7b18262bb90ac14a806b2b888cc6bd

SHA256
c0533ee03107ca49937ff82230f4f3cc6a887fdef1c7a161b3653485e24f59f8

SHA512
2d08af1680c9f48ed14cc194814baa03b37a73e0264bea31a71e7c8e76c9e84c1913a6af9c161b59582f0caa2401d4cda7cf9311bcbee45481eb2286c3c4f628

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
3.1MB

MD5
3520bfaf56ae8f2fb8d88607788aa34d

SHA1
6cd57cf9fafdafbf54b598687db4b114c26d9fc5

SHA256
6c6a4d49c85dfb3e517653fcbd9fa75032368e2a726fca6df7f811ad34b5eaa0

SHA512
9d1de9b70b92ed3c674c9d9731eca42faafe9c72db5713487c2bb7340da1ce97438d4b657b0152b30b9e8b6e17a9366c8e0224132b1c25ddcdd34df905d5c3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000055001\ef4c143f25.exe
Filesize
1.1MB

MD5
275e6ea4459fc0d0c79c15aee24dff1c

SHA1
db098e7cc8e826af07b0a3bd7a4d8a862816a793

SHA256
b4981e0a921cdade4722f4e4f1493534c7072aea43dd814cc9f832f4e07abdad

SHA512
b4b73c96a1546894cc8acdb965be8a68121ae69db2ed88683882a8b2a0baa2023289a39ebe54b643b634b061d69102b2ef03881f3f4292241210b03b32294007

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000056001\9a97a09e42.exe
Filesize
2.2MB

MD5
97136321d01d3c3beaa83a3e2c2bda15

SHA1
3458485e4b298ed3fac58043c83b1c4b2954b9ec

SHA256
270ec792fe4a39464cc7e8eacedc3936a0b88deb45e1cf2c1610086f16937846

SHA512
88f33fa02f0154f63c9ba6e6bc759bed8642cc3220e947c2744b14dfc8cb3fa777c09c909ff9254895ec5faf84adf87ddc0ca5246e2e3aa5a3a0d9f03513eb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\rules.exe
Filesize
932KB

MD5
62ebae72a62d46c48428046ba38e0dc2

SHA1
b09e0166ae6a95df4873b0945804cb2a196050bc

SHA256
020913a62c80e6f11bcdc016895944cbbd891ee9700f632c27360a0f97348bee

SHA512
1e22e28c4dc8030816217a953441cf338d9543b0ff292e18648c6776cdcf7bf2f19b08b02d61fa85c34aab3f89d247858462c7832b0a747747f742694ea7408b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
Filesize
1.8MB

MD5
b294d3c2d960a5596e1aa6f38e64aabc

SHA1
d55c463fe052bf9d938574f5427b4a0c49afdfeb

SHA256
6ee4c08d1d9013e826cb39d7c557d24a228183ebf478126a92534b96991e0f8d

SHA512
2f1222f90446b48cdb726711b2b20baa7270a15ad1d993609a38ad96db302b3dc259b6b593e743f4714a98b546ae356e5b5ded36e525eaa7fe07ab8bb4da56e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tejhbyql.whi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
\??\pipe\crashpad_2736_NMFCYGRAHVLEPQAN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-320-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-232-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-31-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-24-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-25-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/224-26-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/224-97-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-103-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-27-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/224-28-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/224-29-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/224-22-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-235-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-362-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-345-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-402-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-221-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-270-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-173-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-394-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-189-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/224-30-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/224-382-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/232-151-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/232-153-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/232-154-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/232-152-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/232-150-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/232-149-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/232-163-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/232-148-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/232-145-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/772-302-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-400-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-392-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-405-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-208-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-210-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/772-209-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/772-211-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/772-212-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/772-214-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/772-213-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/772-215-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/772-216-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/772-218-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/772-217-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/772-219-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/772-220-0x0000000004F00000-0x0000000004F02000-memory.dmp

Filesize
8KB

Download
memory/772-380-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-231-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-341-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-233-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-234-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-346-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/772-237-0x0000000000A60000-0x0000000000FEF000-memory.dmp

Filesize
5.6MB

Download
memory/1124-146-0x00000233C7200000-0x00000233C7210000-memory.dmp

Filesize
64KB

Download
memory/1124-162-0x00007FFE7B700000-0x00007FFE7C1C2000-memory.dmp

Filesize
10.8MB

Download
memory/1124-156-0x00000233C7280000-0x00000233C728A000-memory.dmp

Filesize
40KB

Download
memory/1124-155-0x00000233DF540000-0x00000233DF552000-memory.dmp

Filesize
72KB

Download
memory/1124-147-0x00000233C7200000-0x00000233C7210000-memory.dmp

Filesize
64KB

Download
memory/1124-144-0x00000233C7200000-0x00000233C7210000-memory.dmp

Filesize
64KB

Download
memory/1124-143-0x00007FFE7B700000-0x00007FFE7C1C2000-memory.dmp

Filesize
10.8MB

Download
memory/1124-134-0x00000233C7240000-0x00000233C7262000-memory.dmp

Filesize
136KB

Download
memory/1732-379-0x0000000000E80000-0x000000000134E000-memory.dmp

Filesize
4.8MB

Download
memory/1740-7-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1740-9-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1740-23-0x0000000000140000-0x000000000045F000-memory.dmp

Filesize
3.1MB

Download
memory/1740-5-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1740-8-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1740-0-0x0000000000140000-0x000000000045F000-memory.dmp

Filesize
3.1MB

Download
memory/1740-4-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x0000000000140000-0x000000000045F000-memory.dmp

Filesize
3.1MB

Download
memory/1740-1-0x0000000077476000-0x0000000077478000-memory.dmp

Filesize
8KB

Download
memory/2204-347-0x0000000000400000-0x0000000001AB4000-memory.dmp

Filesize
22.7MB

Download
memory/3096-259-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-264-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-267-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-266-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-268-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-269-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-271-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-272-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-240-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-273-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-274-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-281-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3096-280-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3096-282-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3096-283-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3096-285-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3096-284-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3096-279-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/3096-278-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3096-277-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3096-276-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3096-286-0x00000000054F0000-0x00000000054F2000-memory.dmp

Filesize
8KB

Download
memory/3096-275-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/3096-265-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-263-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-243-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-262-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-261-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-260-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-244-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/3096-258-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-257-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-256-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-255-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-254-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-253-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-252-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-251-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-250-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-249-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-246-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-248-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-247-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/3096-245-0x0000000000400000-0x00000000009B3000-memory.dmp

Filesize
5.7MB

Download
memory/4740-310-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download