amadey | 9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a

Analysis

max time kernel
149s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
Size

1.8MB
MD5

03d7ce2625f41608ae71f4fabf4d391d
SHA1

c396d4c513df5a76bcba97db966c98d378262854
SHA256

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a
SHA512

7d97f4b996c2efa5aa92093a3b64fe3d45d61a606297b228f25f7b1a57eabf236461c35e7615dae21167fa02913c0c7a512da32070287896f6c8a1194aadd1d7
SSDEEP

49152:03/bnqxRT3In44/3gItQ7+2QRmFx5MAuac:0jnI3In42RANbjc

Score

10^/10

amadey risepro evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorta.exeexplorta.exe9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exeexplorta.exeamert.exe6c745731a4.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c745731a4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

23 4732 rundll32.exe
32 1348 rundll32.exe
Downloads MZ/PE file

flow	pid	process
23	4732	rundll32.exe
32	1348	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorta.exeexplorta.exe9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exe6c745731a4.exechrosha.exeamert.exeexplorta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c745731a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c745731a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Executes dropped EXE 8 IoCs

Processes:

explorta.exeexplorta.exeamert.exee2cf7e23e4.exe6c745731a4.exechrosha.exeexplorta.exeexplorta.exe

pid process

4776 explorta.exe
4052 explorta.exe
2764 amert.exe
3540 e2cf7e23e4.exe
3272 6c745731a4.exe
2132 chrosha.exe
1708 explorta.exe
1496 explorta.exe

pid	process
4776	explorta.exe
4052	explorta.exe
2764	amert.exe
3540	e2cf7e23e4.exe
3272	6c745731a4.exe
2132	chrosha.exe
1708	explorta.exe
1496	explorta.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chrosha.exeexplorta.exeexplorta.exe9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exeexplorta.exeamert.exe6c745731a4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Wine	6c745731a4.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4736 rundll32.exe
4732 rundll32.exe
1348 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4736	rundll32.exe
4732	rundll32.exe
1348	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\e2cf7e23e4.exe = "C:\\Users\\Admin\\1000013002\\e2cf7e23e4.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\6c745731a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\6c745731a4.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\e2cf7e23e4.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exeexplorta.exeamert.exe6c745731a4.exechrosha.exeexplorta.exeexplorta.exe

pid	process
1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
4776	explorta.exe
4052	explorta.exe
2764	amert.exe
3272	6c745731a4.exe
2132	chrosha.exe
1708	explorta.exe
1496	explorta.exe

Drops file in Windows directory 2 IoCs

Processes:

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585066367331173"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801765966-3955847401-2235691403-1000\{CAFABB4E-F5F4-4EE7-9108-7C183F0E8B08}	chrome.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exeexplorta.exeamert.exechrome.exe6c745731a4.exechrosha.exeexplorta.exerundll32.exepowershell.exeexplorta.exechrome.exe

pid	process
1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
4776	explorta.exe
4776	explorta.exe
4052	explorta.exe
4052	explorta.exe
2764	amert.exe
2764	amert.exe
3980	chrome.exe
3980	chrome.exe
3272	6c745731a4.exe
3272	6c745731a4.exe
2132	chrosha.exe
2132	chrosha.exe
1708	explorta.exe
1708	explorta.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
1424	powershell.exe
1424	powershell.exe
1424	powershell.exe
1496	explorta.exe
1496	explorta.exe
2124	chrome.exe
2124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3980 chrome.exe
3980 chrome.exe
3980 chrome.exe
3980 chrome.exe

pid	process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

e2cf7e23e4.exechrome.exe

pid	process
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3540	e2cf7e23e4.exe
3980	chrome.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3980	chrome.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

e2cf7e23e4.exechrome.exe

pid	process
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe
3540	e2cf7e23e4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exeexplorta.exee2cf7e23e4.exechrome.exe

description	pid	process	target process
PID 1088 wrote to memory of 4776	1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe	explorta.exe
PID 1088 wrote to memory of 4776	1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe	explorta.exe
PID 1088 wrote to memory of 4776	1088	9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe	explorta.exe
PID 4776 wrote to memory of 4472	4776	explorta.exe	explorta.exe
PID 4776 wrote to memory of 4472	4776	explorta.exe	explorta.exe
PID 4776 wrote to memory of 4472	4776	explorta.exe	explorta.exe
PID 4776 wrote to memory of 2764	4776	explorta.exe	amert.exe
PID 4776 wrote to memory of 2764	4776	explorta.exe	amert.exe
PID 4776 wrote to memory of 2764	4776	explorta.exe	amert.exe
PID 4776 wrote to memory of 3540	4776	explorta.exe	e2cf7e23e4.exe
PID 4776 wrote to memory of 3540	4776	explorta.exe	e2cf7e23e4.exe
PID 4776 wrote to memory of 3540	4776	explorta.exe	e2cf7e23e4.exe
PID 3540 wrote to memory of 3980	3540	e2cf7e23e4.exe	chrome.exe
PID 3540 wrote to memory of 3980	3540	e2cf7e23e4.exe	chrome.exe
PID 3980 wrote to memory of 3600	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3600	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3144	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3108	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3108	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2492	3980	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe
"C:\Users\Admin\AppData\Local\Temp\9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Users\Admin\1000013002\e2cf7e23e4.exe
"C:\Users\Admin\1000013002\e2cf7e23e4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd2473ab58,0x7ffd2473ab68,0x7ffd2473ab78
5⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:2
5⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:1
5⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:1
5⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3496 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:1
5⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3256 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:1
5⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3920 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
- Modifies registry class
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:8
5⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 --field-trial-handle=1844,i,13132177274186678507,3660752027130137841,131072 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Users\Admin\AppData\Local\Temp\1000014001\6c745731a4.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\6c745731a4.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:4736

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\017659663955_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1348

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\e2cf7e23e4.exe
Filesize
1.1MB

MD5
530ad43d9e577b0882498e1629ac0340

SHA1
f1d87a06c3142c85ae9fcb12692d2585b8d6d0cd

SHA256
f3f1466982163b2bd692ab5cefe97c0328f639d57abaf370d8de7435acc62398

SHA512
d04c0060537035b1a75c71163d8a18f895fc0b293ce967784f24158ca67d3cd5aaa8a7eee1906ab4622fa7a228de6986cfab4d5724f684926b6c5cf5d19638d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\56f24099-94e3-4273-a51f-3d750a9cf4d9.tmp
Filesize
7KB

MD5
e57e10e3c608f01fbab42a8f822f15a7

SHA1
2dea525722215c6e53512af71728505d6bd7c928

SHA256
917f3246a481b860138da8523ed0ee0b7f9a57e5e38c1854a77cba219bbd6d48

SHA512
0b17dfa93f713855d1e5ad3ef82682e0f6ceb2532ffd84fbefa0f26e8780e9b83c4c9dbfebf6ae2d694dacf1197726142d82123d32f12e9b7bf2a171cc3eeb60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
f076a4cbde0c6eb322f90374e4751e3f

SHA1
64b2394376406a3343927f86f193bf1d98ec8c87

SHA256
fd0ee7d68a4c39b85136e51813af1425d09cb07312c301cdc65955e540b305a7

SHA512
46fd1fd5aa34c37bfbabc61260e54178442a5ae043c90b42b563a455ceb88287a663fd2efc7ed09eb595c9c020f980a6406ac5be585b86a7eb1e02ed49bebd1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
aab7d20ab17ee027ed4a297638e24c99

SHA1
64d1a7de38f8319cf37630e46b49080cd6906b4a

SHA256
2d85fe3767d41e01ddd6b6ccdcab5556abbb6d9fb92ef0fd128a4a67f109c79a

SHA512
ddc6edd5c3e28ca9adaad035e26038c7e5e69a280973906b1554853af2b73cd267a3d7a715e91e8f35261edfa79ba1030677e216de08eb0d992570cf597c7b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
b7ef7f73b97479e62f3d2533ee52458c

SHA1
ad2aaa338debec7528d833c5297f28ee47a22acb

SHA256
2369a6b23a2cb5ec489b16eb2c5ccd0192ace3a32cc6e8ffe3e21f658c575668

SHA512
f868f599f11b3a7a62e5ede3012b5f35267f331c070aa36952924de9005b98e9db87efffdaf725659dd888f700dd1f9100e66201cfa613161b2a0fbc91fc2437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
520B

MD5
16f1d6bef7409a0b340d49f513c58d61

SHA1
a1b0a27bdb864d01ed4e23f9e93d4bb2ac7da83c

SHA256
664b560ad3bf8576c9d6ab245e21254b60cf4a6cdcde380581cca6746e5198e6

SHA512
26142b5af239dce9efe39911d8cc49837957228a2d6a7d29cd49b143faa041a35ee6805194b9ff909d46181e7a12ba66ad10e7806e530934414a4788d13fb4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
cd583b75cef6f3b50f45c0cab449e9fb

SHA1
ec855faa6f843b5265d43c745eefd148d50b204d

SHA256
3689fc5f5c7ea7d0d2fd3b0695a2850e254c88c5248163e06b70ebcf39f03238

SHA512
605a09239b7a41e1af1cdc9e76419d28024f1eb285369d65555fb0be7fbe3611512640d9df09f0733db7e9577a6d795006e2f9aaa8089c2e86654d7874f3d324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
d0c42266fc7a0cb3d936d37db94aba3b

SHA1
06c3f5f0438481157db232f488cf3610babd71f4

SHA256
ef5d23a73366da32d4e7dc16afb890ece3bde1887d8216df947bfcc15fc5439a

SHA512
8363cd1da606f2f104738520ab8dee78b8042c63fa8a03b01f5cd3aaeefab5f631017baf2adf19983c48c5f486fa493c4689e845fb91cfcddeea688bb9a3df7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
Filesize
1.8MB

MD5
a888a5da90f5ed7c95c0f18b0c952e41

SHA1
0899f6b32faa0bdf420939c17376ea31fe532f51

SHA256
c4e6a95123560d53b28898d4d0ce58cbce6fed215932f2b9ebce620f68ed9fcc

SHA512
9b644a0ed0033d44405c0744917450eb42b166705672d69255ae3acad0e879b822748e08d7513f68cf8c169c8e8e75cfa271aa2698cc8375c6f434762d299a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\6c745731a4.exe
Filesize
2.3MB

MD5
48a67fd772d60ceccc25c7480cdb138a

SHA1
d71e9170aab9ca931170eaca055d4d57dad90f6c

SHA256
92fd9bfc7c04e09762e8270bb9497e70c260862bc7e29e3c337fff9a6f583f60

SHA512
17916f6d2c532f7758a171311647f14ad20e877c4d114aab628a2eeb84529c8db0705215fe4a7eafbabceb12cf19eefcd2d452c888af138802da64ae3f3ef0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Filesize
1.8MB

MD5
03d7ce2625f41608ae71f4fabf4d391d

SHA1
c396d4c513df5a76bcba97db966c98d378262854

SHA256
9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a

SHA512
7d97f4b996c2efa5aa92093a3b64fe3d45d61a606297b228f25f7b1a57eabf236461c35e7615dae21167fa02913c0c7a512da32070287896f6c8a1194aadd1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e20zpxa3.0eq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
\??\pipe\crashpad_3980_DWXTUPNFLITDXFKK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1088-2-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1088-0-0x0000000000470000-0x000000000091E000-memory.dmp

Filesize
4.7MB

Download
memory/1088-4-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1088-5-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1088-6-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1088-19-0x0000000000470000-0x000000000091E000-memory.dmp

Filesize
4.7MB

Download
memory/1088-8-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1088-3-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1088-7-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1088-1-0x0000000077D86000-0x0000000077D88000-memory.dmp

Filesize
8KB

Download
memory/1496-340-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1708-238-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1708-242-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1708-235-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1708-237-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1708-236-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1708-239-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2132-232-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/2132-324-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-224-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-226-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2132-225-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2132-227-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2132-330-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-228-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2132-327-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-233-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/2132-321-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-284-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-246-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-230-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/2132-229-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2132-231-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2132-223-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2132-343-0x0000000000EE0000-0x000000000139D000-memory.dmp

Filesize
4.7MB

Download
memory/2764-78-0x0000000000CF0000-0x00000000011AD000-memory.dmp

Filesize
4.7MB

Download
memory/2764-57-0x0000000000CF0000-0x00000000011AD000-memory.dmp

Filesize
4.7MB

Download
memory/2764-58-0x0000000000CF0000-0x00000000011AD000-memory.dmp

Filesize
4.7MB

Download
memory/2764-59-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2764-60-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2764-61-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/2764-66-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2764-64-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2764-63-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2764-62-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3272-161-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3272-153-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-350-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-200-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-342-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-329-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-207-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-326-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-209-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-323-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-220-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-311-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-275-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-190-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-244-0x0000000000C00000-0x00000000011F7000-memory.dmp

Filesize
6.0MB

Download
memory/3272-165-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3272-166-0x0000000004E50000-0x0000000004E52000-memory.dmp

Filesize
8KB

Download
memory/3272-158-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3272-162-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3272-163-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3272-164-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3272-159-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3272-155-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3272-160-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3272-157-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3272-156-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4052-31-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4052-38-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4052-37-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/4052-32-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4052-33-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4052-36-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4052-34-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/4052-35-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4776-24-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/4776-325-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-25-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4776-26-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4776-310-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-189-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-27-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/4776-22-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4776-322-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-219-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-261-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-150-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-208-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-23-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4776-328-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-28-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4776-243-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-21-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-341-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-201-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-39-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-349-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4776-29-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download