amadey | 4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
Size

1.8MB
MD5

126c418bf263b13230462fd91c5dee18
SHA1

2f5bcba8453adec7bfe1baf9bbede7efaee9539c
SHA256

4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a
SHA512

74d52a022b3e2c6281543018508543c473b4beca00be951f9b5b4a7d47da6d67ce78831ef3c78878563aa0db5839eae28bed1ac76ef4d51375b838dfadf1ef4a
SSDEEP

49152:43/bnGc6YnG86tZfgoDZjUypRJo+pKE8Er1OEUT:4jnhGZfgOjFoO1hh+

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chrosha.exeexplorta.exeexplorta.exeexplorta.exe4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exeamert.exee3a38e9990.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e3a38e9990.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

26 1940 rundll32.exe
27 4820 rundll32.exe
Downloads MZ/PE file

flow	pid	process
26	1940	rundll32.exe
27	4820	rundll32.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorta.exeexplorta.exe4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exeamert.exechrosha.exee3a38e9990.exeexplorta.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e3a38e9990.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e3a38e9990.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Executes dropped EXE 8 IoCs

Processes:

explorta.exeamert.exe2661bd25bc.exee3a38e9990.exechrosha.exeexplorta.exeexplorta.exeexplorta.exe

pid process

1696 explorta.exe
2824 amert.exe
5108 2661bd25bc.exe
4676 e3a38e9990.exe
5092 chrosha.exe
3840 explorta.exe
1620 explorta.exe
1364 explorta.exe

pid	process
1696	explorta.exe
2824	amert.exe
5108	2661bd25bc.exe
4676	e3a38e9990.exe
5092	chrosha.exe
3840	explorta.exe
1620	explorta.exe
1364	explorta.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amert.exee3a38e9990.exechrosha.exeexplorta.exeexplorta.exeexplorta.exe4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	e3a38e9990.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
Key opened	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine	explorta.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

1964 rundll32.exe
1940 rundll32.exe
4820 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1964	rundll32.exe
1940	rundll32.exe
4820	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\2661bd25bc.exe = "C:\\Users\\Admin\\1000013002\\2661bd25bc.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\e3a38e9990.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\e3a38e9990.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\2661bd25bc.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exeamert.exee3a38e9990.exechrosha.exeexplorta.exeexplorta.exeexplorta.exe

pid	process
4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
1696	explorta.exe
2824	amert.exe
4676	e3a38e9990.exe
5092	chrosha.exe
3840	explorta.exe
1620	explorta.exe
1364	explorta.exe

Drops file in Windows directory 2 IoCs

Processes:

amert.exe4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	amert.exe
File created	C:\Windows\Tasks\explorta.job	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585160319860056"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801878912-692986033-442676226-1000\{A398627B-A020-4228-B4C2-254B17D30984}	chrome.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exeamert.exechrome.exee3a38e9990.exechrosha.exeexplorta.exerundll32.exepowershell.exeexplorta.exechrome.exeexplorta.exe

pid	process
4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
1696	explorta.exe
1696	explorta.exe
2824	amert.exe
2824	amert.exe
1828	chrome.exe
1828	chrome.exe
4676	e3a38e9990.exe
4676	e3a38e9990.exe
5092	chrosha.exe
5092	chrosha.exe
3840	explorta.exe
3840	explorta.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
1620	explorta.exe
1620	explorta.exe
4956	chrome.exe
4956	chrome.exe
1364	explorta.exe
1364	explorta.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1828 chrome.exe
1828 chrome.exe
1828 chrome.exe
1828 chrome.exe

pid	process
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe
Token: SeCreatePagefilePrivilege	1828	chrome.exe
Token: SeShutdownPrivilege	1828	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

2661bd25bc.exechrome.exe

pid	process
5108	2661bd25bc.exe
5108	2661bd25bc.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
5108	2661bd25bc.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
5108	2661bd25bc.exe
1828	chrome.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

2661bd25bc.exechrome.exe

pid	process
5108	2661bd25bc.exe
5108	2661bd25bc.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
5108	2661bd25bc.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
1828	chrome.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe
5108	2661bd25bc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exeexplorta.exe2661bd25bc.exechrome.exe

description	pid	process	target process
PID 4708 wrote to memory of 1696	4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe	explorta.exe
PID 4708 wrote to memory of 1696	4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe	explorta.exe
PID 4708 wrote to memory of 1696	4708	4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe	explorta.exe
PID 1696 wrote to memory of 4872	1696	explorta.exe	explorta.exe
PID 1696 wrote to memory of 4872	1696	explorta.exe	explorta.exe
PID 1696 wrote to memory of 4872	1696	explorta.exe	explorta.exe
PID 1696 wrote to memory of 2824	1696	explorta.exe	amert.exe
PID 1696 wrote to memory of 2824	1696	explorta.exe	amert.exe
PID 1696 wrote to memory of 2824	1696	explorta.exe	amert.exe
PID 1696 wrote to memory of 5108	1696	explorta.exe	2661bd25bc.exe
PID 1696 wrote to memory of 5108	1696	explorta.exe	2661bd25bc.exe
PID 1696 wrote to memory of 5108	1696	explorta.exe	2661bd25bc.exe
PID 5108 wrote to memory of 1828	5108	2661bd25bc.exe	chrome.exe
PID 5108 wrote to memory of 1828	5108	2661bd25bc.exe	chrome.exe
PID 1828 wrote to memory of 3528	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 3528	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 2968	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 1908	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 1908	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe
PID 1828 wrote to memory of 4736	1828	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe
"C:\Users\Admin\AppData\Local\Temp\4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Users\Admin\1000013002\2661bd25bc.exe
"C:\Users\Admin\1000013002\2661bd25bc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1dafab58,0x7fff1dafab68,0x7fff1dafab78
5⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:2
5⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:1
5⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:1
5⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4160 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:1
5⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3260 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:1
5⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4000 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
- Modifies registry class
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:8
5⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1808,i,14431154439939077005,8259084351257868078,131072 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Users\Admin\AppData\Local\Temp\1000014001\e3a38e9990.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\e3a38e9990.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:1964

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\018789126929_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4820

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000013002\2661bd25bc.exe
Filesize
1.1MB

MD5
919a6f77f81c5b989cb6bda9833dc666

SHA1
64e02e8971321dbcfb7dc083361de230febbf902

SHA256
b9296279d80a5b58ac0065455049f83f7d71eaf422cfed73b3b2561ecde04d8a

SHA512
7be129f6fcd8600a96bd8d444561035db7a564259ec5690a48358b8f0db6f87b1aedf054df0c40ca8c2d28e4d47234b56765bf951beebb224c1826b8ee4acb15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
e340b25d55a387370f839c532e96f1ce

SHA1
1e018200571616f1ca2c85d17ff092107f6161f1

SHA256
0e68eb4f59f7202015c58cd21c8da3fcc76d461265c3045f171317f45fcc801a

SHA512
8432f31b5643f9698de9ff433cc7779724ffe6ef37f13e48c944f49293f2f34b6213677c3362dab590b320d5bc428e1e51ea1850470a1b67eebb81536e440c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
1b2ed07bc35356b7a1138b81854dd6b6

SHA1
0dba2b3b4ed03935e68d8e0addc84d17993ad034

SHA256
658fe4b52174562ca91f0082a25a647650bfc200e45c426654d57da6e075998e

SHA512
9c0471986a2588ca580f5a89b69d7e856f6c03677a7362d136fd81dc9c38e92d806d95eec382837b059675e0f36c385572d2cd90076f1026e8754873c9600da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
28f767f96bde5665ddf511130b7adfc5

SHA1
b971264fc27a07fd039e1d6ca0922345c3c19eb8

SHA256
33c58d91281e58cf118cef93ac7dbe5375843b8db9e6838381d03246e8d72a34

SHA512
ea61a0e74e98bc963d6ccf358ba3a43a2e1a0e9849c6814e62c70bd9531ec3d6de39e212e2c9e1cbb34ebd430ce6bbbf2cfea489a165bc8be057c2487cd21402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
a7a1baa87fdd88743fbdccab7e6374e5

SHA1
1a8be423fddebcdc3710289c194e285443ca551c

SHA256
3e9452bd69663aa35e6ade76639fb8df62e302c5cfbe18fb8a92cf156f061fcc

SHA512
aa612e1e69a36a027db851871c8d45a4ae8c54ebb1f92c58a5b605ae632a44d3104c5018fae0ce64e86546dcea258e220d3fb4a600a3b3c98daa0064513254c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
522B

MD5
c052b383f824bbe4d9035afdc5aabd77

SHA1
3e144baa52a08d6c4d887af76931285485ea00a9

SHA256
2bd6d7c29fb2ad0fa8c42036943b0a8efd629f811e5ed4f5422c92b517039812

SHA512
6d52e79052bd4cf79a2373ebd5f483124ca4819624754a167baea12710d11af416ad17aaa59fcc787778f812eec6740073fe2da0395baa27bbce407f5d20587e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
0f805cc2f01a84d2649d872f438eb166

SHA1
4f7b5524cf1e77a76426c9ac40c6753a07a67423

SHA256
e86578cc6406766f9ebc65637c4344537a1ac56917ddfbe04087b3a1d997cd5d

SHA512
e72d18128a711eb1c75ca5bc267ace3b4058fb9234c3262284e41cd5f6d91f68f3283065d76ad51944266ebb4542981bd783cfbccefb5ed8a45d2fcc162f1d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
08299e04d49cad8c02616c7ad46eb409

SHA1
f48c005916ddcc33a5cec563cc98415012509e8e

SHA256
ee709883b50b7eb46b78204f57bfc682eddbc6aff004570d6080c10de7dd0349

SHA512
e9d6794351667f9e1a632d9794915db592736fb7795202c268aa53e4a53bbd8e542c58f3f5608bfc045ddad1be0e406819031b156a8f1f51ff443dbf81825859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
253KB

MD5
77e06a9178bd77de2f99d22252ffd6d9

SHA1
4379bbe1777d02644e4badfac79ba9b9d97f0844

SHA256
04816733955903fbe1488f5857b5c7d0f3a7c14c47c96c0baac51d8742e123f8

SHA512
f3db103aa28fda4a02e882d978e267fe209092db278c772445dbe1888c5ab7db276b0c7faa7c9dc0604ee06f049b35201805d190e9a84ec8b3d71c2350019581

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
Filesize
1.8MB

MD5
ac338e13157044447ee1c51026e46584

SHA1
91a659ab9b0279345daec05f0d4c01547b3739c1

SHA256
dba045ff9399749f8c0d73f2d66f41003b73ec53729bebfbc2be482223bd7ec2

SHA512
9a2a86841c9d316df37895bb58a08fe2085da47a1a8c808df224a08bbae3b535b306f68ccd7175438f5f9092aa37e7a9f77e7270b04fdea537fd387fbd9e05a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\e3a38e9990.exe
Filesize
2.3MB

MD5
516f4ae69573e3cb4e7ca44870a84e3f

SHA1
9fed4ca2ed71b38d016c09e345893cd5d2fd7902

SHA256
0281c13686d8ae00e6256aab7fe23e9fed52c9b469fd473c0aa4ac3bcdb1b88a

SHA512
5d1c2f9d14832ce359ab2b83cc8b7124d22fa81171e9ebc9abe9e1d41477b0a68e5b7295c10429d00d1f803002ff05900714ae69bbe1f5fff8df79934e815ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
Filesize
1.8MB

MD5
126c418bf263b13230462fd91c5dee18

SHA1
2f5bcba8453adec7bfe1baf9bbede7efaee9539c

SHA256
4cd40eaeb03442f0c4eeba38be62cfc505dfe4d2e5ba5b77ee3870f4273bda7a

SHA512
74d52a022b3e2c6281543018508543c473b4beca00be951f9b5b4a7d47da6d67ce78831ef3c78878563aa0db5839eae28bed1ac76ef4d51375b838dfadf1ef4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtrtwy3x.1bu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
\??\pipe\crashpad_1828_HABQWFSFAQHWLIAQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1364-364-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1620-323-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-22-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1696-334-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-353-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-342-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-188-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-219-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-332-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-327-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-324-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-162-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-20-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-256-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-21-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1696-27-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1696-279-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-23-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1696-25-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1696-144-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-26-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1696-305-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-24-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1696-287-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/1696-283-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/2824-51-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2824-73-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2824-46-0x00000000003E0000-0x0000000000884000-memory.dmp

Filesize
4.6MB

Download
memory/2824-47-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2824-48-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2824-72-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2824-53-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2824-45-0x00000000003E0000-0x0000000000884000-memory.dmp

Filesize
4.6MB

Download
memory/2824-52-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2824-50-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2824-49-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2824-78-0x00000000003E0000-0x0000000000884000-memory.dmp

Filesize
4.6MB

Download
memory/3092-244-0x00000224AC6A0000-0x00000224AC6C2000-memory.dmp

Filesize
136KB

Download
memory/3092-245-0x00007FFF1A350000-0x00007FFF1AE12000-memory.dmp

Filesize
10.8MB

Download
memory/3092-246-0x00000224C4840000-0x00000224C4850000-memory.dmp

Filesize
64KB

Download
memory/3840-198-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/3840-213-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/3840-187-0x0000000000B30000-0x0000000000FE3000-memory.dmp

Filesize
4.7MB

Download
memory/3840-203-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3840-202-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3840-200-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3840-201-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3840-199-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4676-282-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-154-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4676-354-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-341-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-333-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-330-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-328-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-325-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-143-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-146-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4676-145-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4676-189-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-303-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-220-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-147-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4676-180-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-155-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4676-156-0x0000000005150000-0x0000000005152000-memory.dmp

Filesize
8KB

Download
memory/4676-148-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4676-149-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4676-150-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4676-151-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4676-257-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-286-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4676-152-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4676-153-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4676-280-0x0000000000F50000-0x000000000152F000-memory.dmp

Filesize
5.9MB

Download
memory/4708-7-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/4708-18-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/4708-1-0x0000000077D86000-0x0000000077D88000-memory.dmp

Filesize
8KB

Download
memory/4708-3-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/4708-2-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4708-4-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4708-5-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/4708-6-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4708-0-0x0000000000D50000-0x0000000001203000-memory.dmp

Filesize
4.7MB

Download
memory/5092-192-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/5092-331-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-212-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/5092-211-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/5092-190-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-193-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5092-326-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-196-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/5092-185-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-329-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-195-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/5092-306-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-221-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-194-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/5092-288-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-335-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-191-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/5092-235-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-343-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-258-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-284-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-197-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/5092-355-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download
memory/5092-281-0x00000000002C0000-0x0000000000764000-memory.dmp

Filesize
4.6MB

Download