amadey | 3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
Size

1.8MB
MD5

470e00b23319921baa7b3cf9458e0565
SHA1

67de5bca4134965bc3ac4162de31253f3b5431ec
SHA256

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5
SHA512

9e9aa5d8b1d7394f57be4e97ad4044ad0a350edf71bd823c4fc130cc44b7f344edca8d602c6b6c4b2fe63dda0498f72fe385e9cc5a831ea27e5d8eb030df8668
SSDEEP

49152:H3/bnHu5IA2sqyzpg3Mg+dm5YPGZ9ekHVFf:HjnHu/LgUWGGZ9XF

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorta.exe3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exeamert.exed9fc8b9d0f.exechrosha.exeexplorta.exeexplorta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d9fc8b9d0f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

24 3560 rundll32.exe
25 3388 rundll32.exe
Downloads MZ/PE file

flow	pid	process
24	3560	rundll32.exe
25	3388	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exed9fc8b9d0f.exeexplorta.exeexplorta.exeamert.exechrosha.exeexplorta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d9fc8b9d0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d9fc8b9d0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Executes dropped EXE 8 IoCs

Processes:

explorta.exeamert.exe275976bfdd.exed9fc8b9d0f.exechrosha.exeexplorta.exeexplorta.exeexplorta.exe

pid process

2088 explorta.exe
2080 amert.exe
3900 275976bfdd.exe
4464 d9fc8b9d0f.exe
4444 chrosha.exe
1136 explorta.exe
4056 explorta.exe
1872 explorta.exe

pid	process
2088	explorta.exe
2080	amert.exe
3900	275976bfdd.exe
4464	d9fc8b9d0f.exe
4444	chrosha.exe
1136	explorta.exe
4056	explorta.exe
1872	explorta.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorta.exeexplorta.exeexplorta.exe3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exeamert.exed9fc8b9d0f.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	d9fc8b9d0f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	chrosha.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1488 rundll32.exe
3560 rundll32.exe
3388 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1488	rundll32.exe
3560	rundll32.exe
3388	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\275976bfdd.exe = "C:\\Users\\Admin\\1000013002\\275976bfdd.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Run\d9fc8b9d0f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\d9fc8b9d0f.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\275976bfdd.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exeamert.exed9fc8b9d0f.exechrosha.exeexplorta.exeexplorta.exeexplorta.exe

pid	process
652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
2088	explorta.exe
2080	amert.exe
4464	d9fc8b9d0f.exe
4444	chrosha.exe
1136	explorta.exe
4056	explorta.exe
1872	explorta.exe

Drops file in Windows directory 2 IoCs

Processes:

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584887324468040"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718508534-2116753757-2794822388-1000\{23509E86-E1E9-4B66-9DFA-24A7EA59FC87}	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exeamert.exechrome.exed9fc8b9d0f.exechrosha.exeexplorta.exerundll32.exepowershell.exeexplorta.exechrome.exeexplorta.exe

pid	process
652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
2088	explorta.exe
2088	explorta.exe
2080	amert.exe
2080	amert.exe
4164	chrome.exe
4164	chrome.exe
4464	d9fc8b9d0f.exe
4464	d9fc8b9d0f.exe
4444	chrosha.exe
4444	chrosha.exe
1136	explorta.exe
1136	explorta.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
3560	rundll32.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
4164	chrome.exe
4164	chrome.exe
4056	explorta.exe
4056	explorta.exe
436	chrome.exe
436	chrome.exe
1872	explorta.exe
1872	explorta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4164 chrome.exe
4164 chrome.exe
4164 chrome.exe
4164 chrome.exe

pid	process
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe
Token: SeCreatePagefilePrivilege	4164	chrome.exe
Token: SeShutdownPrivilege	4164	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

275976bfdd.exechrome.exe

pid	process
3900	275976bfdd.exe
3900	275976bfdd.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
3900	275976bfdd.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
3900	275976bfdd.exe
4164	chrome.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

275976bfdd.exechrome.exe

pid	process
3900	275976bfdd.exe
3900	275976bfdd.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
3900	275976bfdd.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
4164	chrome.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe
3900	275976bfdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exeexplorta.exe275976bfdd.exechrome.exe

description	pid	process	target process
PID 652 wrote to memory of 2088	652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe	explorta.exe
PID 652 wrote to memory of 2088	652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe	explorta.exe
PID 652 wrote to memory of 2088	652	3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe	explorta.exe
PID 2088 wrote to memory of 4652	2088	explorta.exe	explorta.exe
PID 2088 wrote to memory of 4652	2088	explorta.exe	explorta.exe
PID 2088 wrote to memory of 4652	2088	explorta.exe	explorta.exe
PID 2088 wrote to memory of 2080	2088	explorta.exe	amert.exe
PID 2088 wrote to memory of 2080	2088	explorta.exe	amert.exe
PID 2088 wrote to memory of 2080	2088	explorta.exe	amert.exe
PID 2088 wrote to memory of 3900	2088	explorta.exe	275976bfdd.exe
PID 2088 wrote to memory of 3900	2088	explorta.exe	275976bfdd.exe
PID 2088 wrote to memory of 3900	2088	explorta.exe	275976bfdd.exe
PID 3900 wrote to memory of 4164	3900	275976bfdd.exe	chrome.exe
PID 3900 wrote to memory of 4164	3900	275976bfdd.exe	chrome.exe
PID 4164 wrote to memory of 2368	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2368	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2364	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 1208	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 1208	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe
PID 4164 wrote to memory of 2988	4164	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe
"C:\Users\Admin\AppData\Local\Temp\3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Users\Admin\1000013002\275976bfdd.exe
"C:\Users\Admin\1000013002\275976bfdd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85c93ab58,0x7ff85c93ab68,0x7ff85c93ab78
5⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:2
5⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1572 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:1
5⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:1
5⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4172 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:1
5⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:1
5⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4388 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
- Modifies registry class
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:32

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:8
5⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1888,i,14806733987902049556,3974309155021967391,131072 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Users\Admin\AppData\Local\Temp\1000014001\d9fc8b9d0f.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\d9fc8b9d0f.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:1488

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\718508534211_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3388

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\275976bfdd.exe
Filesize
1.1MB

MD5
8afe7a8eebdb322e9231544b0732eac1

SHA1
acc5c45053653daf2b0d0ad6a70accb6509c6ed7

SHA256
1faf3b7ff0e226058ab79dccf6830ee26214ea4a65aa7b48a2078a93c620663e

SHA512
8a5a8f2ef6c7433719d0fde5219c44f6bce95a45cc0d4d0c3c3bd83711fb4e68ca0362d4abd28101ceb888a9a46f44f74f104deb4e4d0eec91f60dbec66ae995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
0b17291d1e93aa20bc0c77ed26385522

SHA1
0fea33c8ab5d8216b826835cfaecdd491c29cadd

SHA256
53342ac3ded18df381e00fdb3235e7436fde5eea7f50cef14b4106afd06f3245

SHA512
a9a331eb2ed71046ad33d969744fefe5fb30314709f8013e72d696336333bab1c14b811aac347759ae4e812118294583361d7aee8bf792aecbad41a5ac0a6640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
30685343e3a65175e8857b2ac7c95c1d

SHA1
a6c11a7b48863a74877a4be1f933cb5319887b9c

SHA256
9fb780735dd3a37eba6bfdf444c94a03804ea43b7bd63d1abea710073a859020

SHA512
eda8548d107088d2a419441a0e46ac6b9a355bc7a57c23ba329d73abf0c0850860c247bc7fc0d63cf9d3bfa3450cdb07b7945741232044b750f93472c899d12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
28a4dd52a62212e1be9626c2f618152d

SHA1
0e3673ca13d4f8f7f4a3ed4ebe9892e0b20d2cea

SHA256
a9fac62cce577bde29d8e51d0be55b2540fcd64fb0a0e4c82a8fe5bc2b6a1053

SHA512
fd5eb52714625a5e903e41f9e3a09a76b156d6090e4204eacef724b97ec4b985d709b9509a1ceec268dfd60905b053872faaba3ab1e8b77f766feeba61102658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
3eadda317c7a29b0528319cc5ccb3a34

SHA1
d3c94063051898a2187f04b68ce1597a5a176bf0

SHA256
669f4690924dea1e76943d0bdf84d0209b93e911bab23fb6b460ba201ecabc82

SHA512
43bf13fe402a22d13a86cf879fb4837a1b76624ec9667c1267bae8e49ffcce9fe276f1e985208ddec21c7c914750ed5d3e18e594f92cb251bf77b437356c0c0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
5763228a7a541326f4298870ed3238d6

SHA1
dbd9469ddf21031a1810ec7d0cc34179fd60b931

SHA256
868d3bf620e82da64a3742f1ae9441836c6fd2dfc8b2c90a7bc1eb140c35c5d4

SHA512
aa615cc6c7f69d294f1adb946244e2b52c530232086da9a0f0d73aeec9385ae25c76a4cd54703405b118e39eb75a5d63b92a847399663fce6cb28d283985b32e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5b01dac754dc8793922a8cb22e509fa0

SHA1
c077358649e320fb4cf15e1f274d8c1a38e58f13

SHA256
7470eb8e2f5d40891726446f3cb64f9c662d0d37777b5c0d0397a68736db6137

SHA512
6a271049e4c7055ca982dfacb3c57bd831e3fa25154aacabacb8b4e1406b26bc9104507d9fcd264743e853208a910f930b6242b3730b702d1bfad2e884e707e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
61fd3616ff45497ed88683c008380e2f

SHA1
5963d7c3560d5cdd2adb6f65b1641d3655a04058

SHA256
19a82c3883efcabf7cc0f39a6cd3bbaf6afe9040077ebcbcd924420c9ff8da44

SHA512
722f2e2169a6532d75c51d305db27801efb013ea24631d1bbda2f8f5c7002f053231dc6953c8388923c1d5b0cacb8ca33438306e575d81eceef52a654067e560

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
751a5c3928c1ab05f0a1a1abbb6ecaa5

SHA1
562ecd4ceddc27c030e310c35575b8c7a6d58a68

SHA256
0d401c125e716360891e172616bf28ad898675fbc9caa00acbe7f269804be6e2

SHA512
0da829d834c72d26ce4d9a041fea426b21d0b9b4c0ec9fbecac8699396b1cf2483115cc58a36de3b3172c4084ebf8a961ddbb7fdf96503fd7e2db19a21a6fabf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
48d48b3e964e468861ca91fdfeb17b5c

SHA1
8b7faa1659b2fab5c30719239a35f9b32e719bf5

SHA256
28425933e4826bd06cb197aec7230da348e8c6afa923e5d5fe311162ff6bfca9

SHA512
6aa47d5549375e5fa097004748571cb1fa961d9481445983a18d3f3902d49b85cd24e684a66a40d4d468bab211bc7838286930f67718222ed85a563dd160eb32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
254KB

MD5
02b74afeb5d98bc206aae87d7ea0749e

SHA1
9147db73742a349766d805c17782d908ea58bc79

SHA256
8ab00966ff2216e368d16fbcef950a600a2751af64519c0cbe5b3a46ce6aff23

SHA512
7ef4ac5e2086529dfc8de57e6dba9490afef17e6e1a19e780f137a5bd88479e394974c353dd3849ecfb462a452fbc8a48ce0d49bcaa91f249edfcafcdda53c29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
292KB

MD5
a68bb1108f87fcbc887f5a1319664114

SHA1
570ab64aeed13204f263f9e66157721ad62194ab

SHA256
3d5d625fecf730dabb83a8edb878c6766cac1a98d612393950af1854e835fe7d

SHA512
69c937e40c52beea1da7e0ad270aca4785257c049b836a6a3df9399f429a7557f996f00178eb4dfc1f3bcac95f252fd6bc9b409652a59d08f1ad86801ef22d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
414494f8327e8a99aeada9f1e5fbd9e0

SHA1
8c162151c5b77f12977009ca7690151c49ebaa99

SHA256
8b90a0733a408430636420b61e51b8bc879c5bf97b9eb5e23daa428f72940567

SHA512
c758c225715dc65932ae1e371160648837032f6134e761c5dd84db749b74eb5d91d8d52ea976266d55334a828122bc44715542322a1571ae049b67e4e2a036b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5822a6.TMP
Filesize
86KB

MD5
5e5458141a4879719f44b1f1da55efa9

SHA1
9f0c2352afb92a100645a699836e2710637a0d75

SHA256
173625ecf5181e8397f2e0839b1483660b91e640f16f408b07dc6ea443305543

SHA512
dca849e5673707c9cb6e68d7bd9015fd786b14403bb0848b4d35632fb31da7356644e1ff49809c065b28c3805fafea5eba50bd43e6c1f24791acaab439b87101

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
Filesize
1.8MB

MD5
7b51614032cf0e89432f5ff123c65044

SHA1
c9aeeee7d2db471eac0bf71cfa948d491a2bb4b6

SHA256
f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287

SHA512
20603dc18c014996fdf5773f473471527c8454c64c67344264ffa1798ed151d4bb09375fc151b2cfa4503607b707db18d9f0ba96775872fc3e94be58963b55f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\d9fc8b9d0f.exe
Filesize
2.3MB

MD5
e42d0905c3d77e06760b9a71fdfb491a

SHA1
30a365648b7f293978cc8de99fb9bded37923ece

SHA256
0abb82aa870f4e816981959b57d1e42a9a45acdf2fc9edba1df206320ef4ddb0

SHA512
a5f715edc114df11063e060e529b32e1ced26ebbb5d330ae370bd27d00ff4b7c917fa27dd71294cccf8451852a5773300cc6a5c71b5b52aa846b1750e7606a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Filesize
1.8MB

MD5
470e00b23319921baa7b3cf9458e0565

SHA1
67de5bca4134965bc3ac4162de31253f3b5431ec

SHA256
3c10ae813ad3b8b366afe654873046cfe130b27d561ce7ca2616e3e1ec0522f5

SHA512
9e9aa5d8b1d7394f57be4e97ad4044ad0a350edf71bd823c4fc130cc44b7f344edca8d602c6b6c4b2fe63dda0498f72fe385e9cc5a831ea27e5d8eb030df8668

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvz5sq4v.iwv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
\??\pipe\crashpad_4164_ARGYUIFTGDZSZIZZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/652-8-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/652-0-0x00000000009A0000-0x0000000000E6D000-memory.dmp

Filesize
4.8MB

Download
memory/652-4-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/652-3-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/652-5-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/652-1-0x0000000077196000-0x0000000077198000-memory.dmp

Filesize
8KB

Download
memory/652-6-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/652-19-0x00000000009A0000-0x0000000000E6D000-memory.dmp

Filesize
4.8MB

Download
memory/652-7-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/652-2-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1136-210-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1136-211-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/1136-209-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1136-200-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/1136-213-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/1136-212-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/1136-214-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1136-215-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/1872-413-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2080-52-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/2080-82-0x0000000000E90000-0x0000000001347000-memory.dmp

Filesize
4.7MB

Download
memory/2080-69-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2080-60-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/2080-56-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/2080-55-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2080-51-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2080-53-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2080-54-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/2080-50-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/2080-49-0x0000000000E90000-0x0000000001347000-memory.dmp

Filesize
4.7MB

Download
memory/2080-48-0x0000000000E90000-0x0000000001347000-memory.dmp

Filesize
4.7MB

Download
memory/2088-29-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/2088-59-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-344-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-245-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-365-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-377-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-312-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-380-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-309-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-383-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-386-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-394-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-288-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-173-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-21-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-58-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-224-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/2088-30-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2088-28-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2088-27-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/2088-26-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2088-25-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2088-24-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2088-22-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2088-23-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2268-256-0x00007FF8485C0000-0x00007FF849082000-memory.dmp

Filesize
10.8MB

Download
memory/2268-255-0x000001CF3EF00000-0x000001CF3EF22000-memory.dmp

Filesize
136KB

Download
memory/4056-364-0x0000000000A60000-0x0000000000F2D000-memory.dmp

Filesize
4.8MB

Download
memory/4444-203-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4444-382-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-405-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-246-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-216-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4444-207-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4444-206-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4444-393-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-274-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-208-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4444-205-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4444-202-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-204-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4444-385-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-308-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-231-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-379-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-311-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-198-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-376-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-320-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4444-346-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4464-165-0x0000000005410000-0x0000000005412000-memory.dmp

Filesize
8KB

Download
memory/4464-164-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4464-345-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-193-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-163-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4464-162-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4464-161-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4464-160-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/4464-375-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-319-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-159-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4464-378-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-310-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-158-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4464-381-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-201-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-157-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4464-384-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-307-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-156-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/4464-392-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-273-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-155-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4464-154-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4464-404-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-230-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download
memory/4464-153-0x0000000000C50000-0x0000000001243000-memory.dmp

Filesize
5.9MB

Download