amadey | 61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911

Analysis

max time kernel
33s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 19:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
Size

1.8MB
MD5

62f1fa50f787174efe7b66d2d8cfe678
SHA1

26154cfcee6f9bce3488bd084da68b41140ee5b2
SHA256

61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911
SHA512

87957e8747d1944f26365c06fc83c14edd418f0ba46d06f5d07def2ca67cc64b6fc8994bfe2f0f5a3c53d75688936ea31b296157149018e9636ebe9599de5300
SSDEEP

49152:p+Obyj/KS/tDxWt6qIffufQmd0F3iEfBjk078:p+Obgt/ttWTIfuQmS3FJgF

Score

10^/10

amadey glupteba redline stealc xworm zgrat @cloudytteam test1234 dropper evasion infostealer loader rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

http://185.172.128.150

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

91.92.252.220:7000

41.199.23.195:7000

saveclinetsforme68465454711991.publicvm.com:7000

Mutex

bBT8anvIxhxDFmkf

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe	family_xworm
behavioral2/memory/3356-288-0x0000000000DA0000-0x0000000000DB2000-memory.dmp	family_xworm

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4792-75-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_zgrat_v1
behavioral2/memory/2144-101-0x0000000000010000-0x00000000000D0000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1112-741-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba
behavioral2/memory/1956-768-0x0000000000400000-0x0000000001DFB000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
behavioral2/memory/1564-97-0x00000000005C0000-0x0000000000612000-memory.dmp	family_redline
behavioral2/memory/2144-101-0x0000000000010000-0x00000000000D0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline
behavioral2/memory/4628-179-0x0000000000800000-0x0000000000852000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chrosha.exe61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5288 netsh.exe
5412 netsh.exe

pid	process
5288	netsh.exe
5412	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrosha.exe61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe

Executes dropped EXE 11 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exetrf.exekeks.exegold.exeNewB.exejok.exeswiiii.exefile300un.exemstc.exe

pid	process
1520	chrosha.exe
2196	swiiiii.exe
1936	alexxxxxxxx.exe
2144	trf.exe
1564	keks.exe
868	gold.exe
3888	NewB.exe
4628	jok.exe
4788	swiiii.exe
3100	file300un.exe
3356	mstc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

chrosha.exe61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1860 rundll32.exe
900 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1860	rundll32.exe
900	rundll32.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\JNCAtjXeiR7uHwArQbtkaXGv.exe	themida
behavioral2/memory/3560-436-0x0000000140000000-0x0000000140749000-memory.dmp	themida
behavioral2/memory/3560-769-0x0000000140000000-0x0000000140749000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
34 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
47 api.myip.com
51 ipinfo.io
55 api.myip.com
57 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exechrosha.exe

pid process

3024 61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
1520 chrosha.exe

flow	ioc
2	pastebin.com
34	pastebin.com

flow	ioc
5	ip-api.com
47	api.myip.com
51	ipinfo.io
55	api.myip.com
57	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exe

description	pid	process	target process
PID 2196 set thread context of 2796	2196	swiiiii.exe	RegAsm.exe
PID 1936 set thread context of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 868 set thread context of 1596	868	gold.exe	RegAsm.exe
PID 4788 set thread context of 3052	4788	swiiii.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

description ioc process

File created C:\Windows\Tasks\chrosha.job 61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1200	2196	WerFault.exe	swiiiii.exe
4800	1936	WerFault.exe	alexxxxxxxx.exe
1844	868	WerFault.exe	gold.exe
5712	5112	WerFault.exe	EpNfMW1psicxM9hu928dZQBb.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2712 schtasks.exe
5008 schtasks.exe

pid	process
2712	schtasks.exe
5008	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exechrosha.exerundll32.exekeks.exe

pid	process
3024	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
3024	61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
1520	chrosha.exe
1520	chrosha.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
900	rundll32.exe
1564	keks.exe
1564	keks.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

trf.exemstc.exe

description	pid	process
Token: SeDebugPrivilege	2144	trf.exe
Token: SeBackupPrivilege	2144	trf.exe
Token: SeSecurityPrivilege	2144	trf.exe
Token: SeSecurityPrivilege	2144	trf.exe
Token: SeSecurityPrivilege	2144	trf.exe
Token: SeSecurityPrivilege	2144	trf.exe
Token: SeDebugPrivilege	3356	mstc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exeRegAsm.exegold.exeNewB.exeswiiii.exe

description	pid	process	target process
PID 1520 wrote to memory of 2196	1520	chrosha.exe	swiiiii.exe
PID 1520 wrote to memory of 2196	1520	chrosha.exe	swiiiii.exe
PID 1520 wrote to memory of 2196	1520	chrosha.exe	swiiiii.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 2196 wrote to memory of 2796	2196	swiiiii.exe	RegAsm.exe
PID 1520 wrote to memory of 1936	1520	chrosha.exe	alexxxxxxxx.exe
PID 1520 wrote to memory of 1936	1520	chrosha.exe	alexxxxxxxx.exe
PID 1520 wrote to memory of 1936	1520	chrosha.exe	alexxxxxxxx.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 1936 wrote to memory of 4792	1936	alexxxxxxxx.exe	RegAsm.exe
PID 4792 wrote to memory of 2144	4792	RegAsm.exe	trf.exe
PID 4792 wrote to memory of 2144	4792	RegAsm.exe	trf.exe
PID 4792 wrote to memory of 1564	4792	RegAsm.exe	keks.exe
PID 4792 wrote to memory of 1564	4792	RegAsm.exe	keks.exe
PID 4792 wrote to memory of 1564	4792	RegAsm.exe	keks.exe
PID 1520 wrote to memory of 868	1520	chrosha.exe	gold.exe
PID 1520 wrote to memory of 868	1520	chrosha.exe	gold.exe
PID 1520 wrote to memory of 868	1520	chrosha.exe	gold.exe
PID 868 wrote to memory of 4124	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 4124	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 4124	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 868 wrote to memory of 1596	868	gold.exe	RegAsm.exe
PID 1520 wrote to memory of 3888	1520	chrosha.exe	NewB.exe
PID 1520 wrote to memory of 3888	1520	chrosha.exe	NewB.exe
PID 1520 wrote to memory of 3888	1520	chrosha.exe	NewB.exe
PID 3888 wrote to memory of 2712	3888	NewB.exe	schtasks.exe
PID 3888 wrote to memory of 2712	3888	NewB.exe	schtasks.exe
PID 3888 wrote to memory of 2712	3888	NewB.exe	schtasks.exe
PID 1520 wrote to memory of 4628	1520	chrosha.exe	jok.exe
PID 1520 wrote to memory of 4628	1520	chrosha.exe	jok.exe
PID 1520 wrote to memory of 4628	1520	chrosha.exe	jok.exe
PID 1520 wrote to memory of 4788	1520	chrosha.exe	swiiii.exe
PID 1520 wrote to memory of 4788	1520	chrosha.exe	swiiii.exe
PID 1520 wrote to memory of 4788	1520	chrosha.exe	swiiii.exe
PID 4788 wrote to memory of 3756	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 3756	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 3756	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 2552	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 2552	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 2552	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 3052	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 3052	4788	swiiii.exe	RegAsm.exe
PID 4788 wrote to memory of 3052	4788	swiiii.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe
"C:\Users\Admin\AppData\Local\Temp\61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 888
3⤵
- Program crash
PID:1200

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:6092

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 364
3⤵
- Program crash
PID:4800

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 396
3⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:2712

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
2⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:1916

C:\Users\Admin\Pictures\EpNfMW1psicxM9hu928dZQBb.exe
"C:\Users\Admin\Pictures\EpNfMW1psicxM9hu928dZQBb.exe"
4⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\u3y0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3y0.0.exe"
5⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\u3y0.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u3y0.2\run.exe"
5⤵
PID:6052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
6⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\u3y0.3.exe
"C:\Users\Admin\AppData\Local\Temp\u3y0.3.exe"
5⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1164
5⤵
- Program crash
PID:5712

C:\Users\Admin\Pictures\1es0dL5TfujqxnIuXFIpRu8J.exe
"C:\Users\Admin\Pictures\1es0dL5TfujqxnIuXFIpRu8J.exe"
4⤵
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5668

C:\Users\Admin\Pictures\1es0dL5TfujqxnIuXFIpRu8J.exe
"C:\Users\Admin\Pictures\1es0dL5TfujqxnIuXFIpRu8J.exe"
5⤵
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2220

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:5288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1032

C:\Users\Admin\Pictures\uqzq8NFoLJAe3APt5Rgg66bl.exe
"C:\Users\Admin\Pictures\uqzq8NFoLJAe3APt5Rgg66bl.exe"
4⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5372

C:\Users\Admin\Pictures\uqzq8NFoLJAe3APt5Rgg66bl.exe
"C:\Users\Admin\Pictures\uqzq8NFoLJAe3APt5Rgg66bl.exe"
5⤵
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:5412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2924

C:\Users\Admin\Pictures\JNCAtjXeiR7uHwArQbtkaXGv.exe
"C:\Users\Admin\Pictures\JNCAtjXeiR7uHwArQbtkaXGv.exe"
4⤵
PID:3560

C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe
"C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe" --silent --allusers=0
4⤵
PID:4776

C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe
C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b05e1d0,0x6b05e1dc,0x6b05e1e8
5⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WEuhKMB9E1WNfolTnDOze5iP.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WEuhKMB9E1WNfolTnDOze5iP.exe" --version
5⤵
PID:4632

C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe
"C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4776 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428195425" --session-guid=334aa820-7302-4577-ac57-c1281279d4bf --server-tracking-blob="MmM0YmU4YTMwNmZhMzhhODY4MzhkMmIyOWFjMTZhNzcyNDBhN2FkYmI1ZDUyNmE4ZWRmMDhkYWM1NzZjYWEzMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzM0MDU3LjM2NjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYWZkYTFlZGQtMTZhMS00YzMwLTkzNmMtNzg1MDI1MjFiYzMxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2405000000000000
5⤵
PID:5984

C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe
C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6a42e1d0,0x6a42e1dc,0x6a42e1e8
6⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
5⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\assistant_installer.exe" --version
5⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xc36038,0xc36044,0xc36050
6⤵
PID:5528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:1860

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\062789476783_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'
3⤵
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
3⤵
PID:5532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
3⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
3⤵
PID:5336

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Creates scheduled task(s)
PID:5008

C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe
"C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe"
2⤵
PID:2812

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
PID:2148

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
3⤵
PID:4080

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2336

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4996

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
4⤵
PID:4748

C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
3⤵
PID:3344

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1868

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:3436

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
4⤵
PID:3104

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 2196
1⤵
PID:496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1936 -ip 1936
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 868
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5112 -ip 5112
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cd00e221c7412a41b29060dfc1dcd6c8

SHA1
76b297738f2cddd26f737ab38829ad02ed1b51ec

SHA256
98f4f38301fc856eaa213d998e3e07c3cb7e544c3662d452e3342c2268a680b7

SHA512
abcd164974234cd9d06d9e0127909148af2cbca135b22a73f48338e23f2fbb44088897bf8229591038a09959a86cd35b642c49c5033f091b5266c35a2a78b9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
655bed71fa239353b1db17d81bcb7534

SHA1
74ecc4326dea26d200a2d654b03228a609f04ea9

SHA256
fddedfe4c450de4a353e074456346a80a5e6055c48333da288fee403a6faa462

SHA512
a79c469437da050e75e3633b2c7309bebb4a45eabfe55ffa5549f3f02d085b10561fbae2220efe959cc7a0810c1f87749dae0b6eb972280d752974d061b1e924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
33db5b5f393cd18bf37308dc10e4b112

SHA1
0032feff5d4698e6c9c0b5207ea2e204aea49ca1

SHA256
df56410addd3027dbf24afe9df4803c76b3281f3209d1b0338f424758a9ff281

SHA512
5379f777ff7606de1219448e079357fde1d03f7bcfc1b47c43920557eff8775ee17f442b10fa971f1df5aa3d509fcf2888a67685c3f1738a090212037119abe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\additional_file0.tmp
Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281954251\opera_package
Filesize
11.5MB

MD5
87228adc91ea5ea1ce20dca8f9ce84c3

SHA1
69698f802e589061deca781bc0537fcb698a420d

SHA256
f4b772ea7cfc6daf6b9e1c312e248feb993b61d7194f290088bb4c676a3ae04e

SHA512
c0a04e9763c8f7cfc2d7c695f6acb5c5cd8ab217fe10af8ee9bf624fc6adcc99a98870d4c8d2f2dea2033f4595cd41081a620d776194d8043908c01521aaca97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
Filesize
460KB

MD5
b22521fb370921bb5d69bf8deecce59e

SHA1
3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea

SHA256
b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158

SHA512
1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
Filesize
386KB

MD5
0c4043a9a9efff20810530fd0cad91d7

SHA1
ca3adc7e4f1a027a2969749ccd5e2c1b06b88162

SHA256
1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc

SHA512
e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
Filesize
50KB

MD5
17eefbaaa30123fa3091add80026aed4

SHA1
8e43d736ea03bd33de5434bda5e20aae121cd218

SHA256
b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5

SHA512
e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000242001\loader.exe
Filesize
479KB

MD5
aed761007fae099d18aa07f3508044f7

SHA1
3d388cc83110f82f36c01a49423c667dcb55918e

SHA256
d6178b0a2267a5250f602a5cb8f259b18287173c86f97483e21d482ca7faef77

SHA512
9e28a4a008ad8b4e9996c4ae9971e2b626dfa30c290347c06e77efb8d45488e3954205ba702713bde11721959fa7290f76e9f7aaa448d4e02a4cef9e77bcfb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
Filesize
1.8MB

MD5
62f1fa50f787174efe7b66d2d8cfe678

SHA1
26154cfcee6f9bce3488bd084da68b41140ee5b2

SHA256
61bc0d72cc30e7f914eeb188d5e184dbcc06b9c2c1a95f40f2d691814e46e911

SHA512
87957e8747d1944f26365c06fc83c14edd418f0ba46d06f5d07def2ca67cc64b6fc8994bfe2f0f5a3c53d75688936ea31b296157149018e9636ebe9599de5300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281954247954776.dll
Filesize
4.6MB

MD5
45fe60d943ad11601067bc2840cc01be

SHA1
911d70a6aad7c10b52789c0312c5528556a2d609

SHA256
0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add

SHA512
30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB41D.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzhn0soz.ocr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
04102a925d7feaf864b4f39522d0b09e

SHA1
36068c2fe427661e14081e869a92995f2f016e78

SHA256
0bd984d88a2d723f221f952df60d394d8a563360ee5853ff6d5e7020694f6a14

SHA512
8720b3cb051e0a5a7e7fc4d38439a04e800ecb7276cb8799b07330cc7579abfd5cf92f2f95dbb4af7258917f00f35bfef71c359338f797d7f2c686ca6a8a45cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD999.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA67.tmp
Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.0.exe
Filesize
307KB

MD5
4c1211ca6acf41a9a2282c3291384bc5

SHA1
0d405a8e2c8df1621a10adf984c836e29f0a51c5

SHA256
52aa0c072e5c7fef19391a933cb34b085bf34d258d3fd7603a99907b262d547d

SHA512
1a7b194c8dba9f99ebb419a5ff2b0918f8ef6b44ee72f00953fd422e0028d9797181c7644e671013743fccea89abeb5e3306f32e94a0ecb4d5e90184cefbef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.1.zip
Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.2\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.2\bunch.dat
Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.2\relay.dll
Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.2\run.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.2\whale.dbf
Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3y0.3.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3062789476-783164490-2318012559-1000\76b53b3ec448f7ccdda2063b15d2bfc3_0c7f3946-7653-4b87-8d45-55ff4293dffb
Filesize
2KB

MD5
bccc8715ec0087e3ce6a074060b8e289

SHA1
4001e29f0831d68f8f2184b425729e768cbd8609

SHA256
db988112074f36470b2d4f36c171622a51cb4e148846fb5e0c1a7faf19bb4a11

SHA512
feba0416213613b79619d7a8a55dd76e06270563d12eeb8db5ea318887a7cbdb6e768bd43dd258234bb98da092241c09c6b181a23d1b5f1e94e528d608b96b7d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
5463d378d354b63b144b060c988149c6

SHA1
ef703dfd37cbc4eb02a71a89ecfa447480fbb7ef

SHA256
37bb82e741b399ce8928c485bacb72be2b043aafcb995555afbd96fa51c2f2e1

SHA512
d3b7f86ffa4aaeea9f92641876fa799f02811dc6094b8ae02e28368052066d9b03d113d7398e1713eb41ae6a0de74d881ef49f3c02eece0db54234689a719d7e

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
40fa25506cc8d5b16fcde6f5cccdf292

SHA1
a67a2fc027f3c1cae91f0b46991055a57cf0e1c1

SHA256
c709a8ec2e8ec8873d3a7a1873fe739c2db89e7fe96d7f13fa5ddfae6f00bf7e

SHA512
ac28c03dd09b43e8e2e5b604b992b0967b9e71ebe9a9afb85826433ef0a6350cb070d7731ca69c980199c443c655782d4a4a9aeb1a46cb153a4593e96ff6a581

Download Submit
C:\Users\Admin\Pictures\1es0dL5TfujqxnIuXFIpRu8J.exe
Filesize
4.2MB

MD5
cb2b161bbed4739c90366ddd0419a84e

SHA1
01cf657f15a61959de97d7477044bb3988c033a5

SHA256
e77265234679dcaa6987f921a87c9209773dd7f57181e0020bd147a7fde06e6c

SHA512
9cf64201b610f7c2032ecccc4919c7c0748c89b198751daff7ebfa1bd929041fa7a08adae5d9c7d917332da4aad179a23f99065eac67fc2fc7c220ebc251b5fb

Download Submit
C:\Users\Admin\Pictures\7L6sd6krVEM04OTXb1FoLtUT.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\EpNfMW1psicxM9hu928dZQBb.exe
Filesize
451KB

MD5
209baf341efd2d94d4a0158294c04d02

SHA1
3cfc11e2fd0a262ffad1359f7b127b9e74efd90c

SHA256
04043ec3c8c32b4b61ded42edb10fde3953690570505346e8c355946b2219574

SHA512
a57aa8d108c553011b7afa105f109954e52381f4b7997a2e57e4b36a2fdbcbbf4b16026e58e1022d83c34c0e75daff36c4c19d9baf8daad025b199b89e8500b2

Download Submit
C:\Users\Admin\Pictures\JNCAtjXeiR7uHwArQbtkaXGv.exe
Filesize
5.6MB

MD5
40e24b56642185d3b45d17f44d3a256a

SHA1
0ef796ac02581ccfcd3c7ae44af693a200d8b12e

SHA256
22ff278aa3fe118f203d791f4a99b54dd5b9f09ccf2895528e90f199d470b435

SHA512
c54fbeb1bbc1f7b4a09172934d4a755de84cd55ab152e1b77f2af63a516651b0f2bf44b1a4125e52fb63973e08198c82b8e94965ac22902f06d07a7ade50c567

Download Submit
C:\Users\Admin\Pictures\WEuhKMB9E1WNfolTnDOze5iP.exe
Filesize
5.1MB

MD5
01bf4499e9131f62e27caa2cce1da1ba

SHA1
02dad549283156ad5184d6fdcbc1b978b99fcc18

SHA256
86519b16a80c58b1f4595b94c0f2aed96f40ce59e1618fc85d8352cdd18fd064

SHA512
16b402e444ccad3c24a937a4edce1622adda2f3f70088c10073d32de9ae66bb8ba40d45bf73b47de447a039622d59aa0d2184ae217525d52d025a4423f50193d

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
48073ac6d405913994030192285e989a

SHA1
ebf54c57db8356cef314928fc8d48516acf8019b

SHA256
dbc1a4dad0687def8c3f7e6d0b95cbfbf8fc1f681b17d6b04f4949aa1a56946c

SHA512
0e28f8313dd568b1f24f8a11c0465a6885048503ad460f933b59feddb62e6f254df3d8e077c8e336ebc5a387520313cecd19917f2045670c970151cd763ec1cb

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
066c5d317f4792dfcd61df2c2dc259a7

SHA1
6bc09a24d00527ad666da1555c65f56bfea59b09

SHA256
bd5ebf265dad577bed2fcc13c904ef23e60aaf3e60fbc1e1b6bbf7546b8b2d82

SHA512
49a26fcce61783bb4c3907276d93b3b43424abf809322e1323e00dd414c6b6ee13096763ad5c3bc0715770cd232a1e9ffe40da9da8fdb88b2b6d1b1037cd7232

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/664-808-0x00007FFBA4280000-0x00007FFBA4489000-memory.dmp

Filesize
2.0MB

Download
memory/688-895-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/1112-741-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/1192-810-0x0000000007600000-0x0000000007615000-memory.dmp

Filesize
84KB

Download
memory/1192-783-0x000000006EB60000-0x000000006EEB7000-memory.dmp

Filesize
3.3MB

Download
memory/1192-782-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/1520-767-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1520-27-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1520-28-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/1520-22-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1520-23-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/1520-247-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1520-24-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1520-25-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1520-26-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/1520-21-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1520-435-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1520-20-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1520-19-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1520-645-0x00000000009B0000-0x0000000000E62000-memory.dmp

Filesize
4.7MB

Download
memory/1564-140-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/1564-127-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/1564-133-0x0000000006680000-0x000000000678A000-memory.dmp

Filesize
1.0MB

Download
memory/1564-99-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1564-289-0x0000000007820000-0x00000000079E2000-memory.dmp

Filesize
1.8MB

Download
memory/1564-290-0x0000000007F20000-0x000000000844C000-memory.dmp

Filesize
5.2MB

Download
memory/1564-136-0x00000000065C0000-0x00000000065D2000-memory.dmp

Filesize
72KB

Download
memory/1564-137-0x0000000006620000-0x000000000665C000-memory.dmp

Filesize
240KB

Download
memory/1564-98-0x00000000054B0000-0x0000000005A56000-memory.dmp

Filesize
5.6MB

Download
memory/1564-97-0x00000000005C0000-0x0000000000612000-memory.dmp

Filesize
328KB

Download
memory/1564-102-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/1564-427-0x0000000007B40000-0x0000000007B90000-memory.dmp

Filesize
320KB

Download
memory/1564-130-0x0000000006B30000-0x0000000007148000-memory.dmp

Filesize
6.1MB

Download
memory/1564-248-0x00000000068E0000-0x0000000006946000-memory.dmp

Filesize
408KB

Download
memory/1564-117-0x0000000005AE0000-0x0000000005B56000-memory.dmp

Filesize
472KB

Download
memory/1596-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1596-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1916-328-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1956-768-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/2144-330-0x000000001E210000-0x000000001E3D2000-memory.dmp

Filesize
1.8MB

Download
memory/2144-319-0x000000001BFE0000-0x000000001BFFE000-memory.dmp

Filesize
120KB

Download
memory/2144-331-0x000000001E910000-0x000000001EE38000-memory.dmp

Filesize
5.2MB

Download
memory/2144-476-0x000000001AFB0000-0x000000001B163000-memory.dmp

Filesize
1.7MB

Download
memory/2144-291-0x000000001D520000-0x000000001D62A000-memory.dmp

Filesize
1.0MB

Download
memory/2144-293-0x000000001C020000-0x000000001C05C000-memory.dmp

Filesize
240KB

Download
memory/2144-364-0x000000001AFB0000-0x000000001B163000-memory.dmp

Filesize
1.7MB

Download
memory/2144-292-0x000000001BDB0000-0x000000001BDC2000-memory.dmp

Filesize
72KB

Download
memory/2144-318-0x000000001D9B0000-0x000000001DA26000-memory.dmp

Filesize
472KB

Download
memory/2144-101-0x0000000000010000-0x00000000000D0000-memory.dmp

Filesize
768KB

Download
memory/2196-56-0x0000000002840000-0x0000000004840000-memory.dmp

Filesize
32.0MB

Download
memory/2196-48-0x0000000000290000-0x00000000002E2000-memory.dmp

Filesize
328KB

Download
memory/2196-49-0x0000000073700000-0x0000000073EB1000-memory.dmp

Filesize
7.7MB

Download
memory/2196-58-0x0000000073700000-0x0000000073EB1000-memory.dmp

Filesize
7.7MB

Download
memory/2796-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-52-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2812-324-0x00000239E4160000-0x00000239E4186000-memory.dmp

Filesize
152KB

Download
memory/2812-323-0x00007FFBA4280000-0x00007FFBA4489000-memory.dmp

Filesize
2.0MB

Download
memory/2812-329-0x00000239E5B50000-0x00000239E5B74000-memory.dmp

Filesize
144KB

Download
memory/2924-880-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/3024-0-0x0000000000B00000-0x0000000000FB2000-memory.dmp

Filesize
4.7MB

Download
memory/3024-10-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3024-8-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3024-7-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3024-6-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000077D46000-0x0000000077D48000-memory.dmp

Filesize
8KB

Download
memory/3024-5-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3024-4-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3024-3-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3024-2-0x0000000000B00000-0x0000000000FB2000-memory.dmp

Filesize
4.7MB

Download
memory/3024-16-0x0000000000B00000-0x0000000000FB2000-memory.dmp

Filesize
4.7MB

Download
memory/3024-11-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3024-9-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3052-221-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3052-223-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3100-244-0x000001DE4F180000-0x000001DE4F18A000-memory.dmp

Filesize
40KB

Download
memory/3100-322-0x000001DE50F20000-0x000001DE50F7E000-memory.dmp

Filesize
376KB

Download
memory/3100-321-0x000001DE50EA0000-0x000001DE50EAA000-memory.dmp

Filesize
40KB

Download
memory/3252-883-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3356-288-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/3560-769-0x0000000140000000-0x0000000140749000-memory.dmp

Filesize
7.3MB

Download
memory/3560-436-0x0000000140000000-0x0000000140749000-memory.dmp

Filesize
7.3MB

Download
memory/4568-894-0x0000000000400000-0x0000000001DFB000-memory.dmp

Filesize
26.0MB

Download
memory/4628-179-0x0000000000800000-0x0000000000852000-memory.dmp

Filesize
328KB

Download
memory/4788-218-0x0000000000670000-0x000000000069E000-memory.dmp

Filesize
184KB

Download
memory/4792-75-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4916-380-0x0000028CE05C0000-0x0000028CE05CA000-memory.dmp

Filesize
40KB

Download
memory/4916-379-0x0000028CE0B90000-0x0000028CE0BA2000-memory.dmp

Filesize
72KB

Download
memory/4916-317-0x0000028CE0550000-0x0000028CE0572000-memory.dmp

Filesize
136KB

Download
memory/5112-704-0x0000000000400000-0x0000000001A3C000-memory.dmp

Filesize
22.2MB

Download
memory/5204-770-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/5372-689-0x000000006B9D0000-0x000000006BD27000-memory.dmp

Filesize
3.3MB

Download
memory/5372-688-0x00000000721E0000-0x000000007222C000-memory.dmp

Filesize
304KB

Download
memory/5668-681-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/5668-577-0x0000000006380000-0x00000000066D7000-memory.dmp

Filesize
3.3MB

Download
memory/5668-710-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/5668-721-0x0000000007E40000-0x0000000007E55000-memory.dmp

Filesize
84KB

Download
memory/5668-723-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download
memory/5668-728-0x0000000007F40000-0x0000000007F48000-memory.dmp

Filesize
32KB

Download
memory/5668-587-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/5668-615-0x00000000721E0000-0x000000007222C000-memory.dmp

Filesize
304KB

Download
memory/5668-644-0x0000000007C00000-0x0000000007C1A000-memory.dmp

Filesize
104KB

Download
memory/5668-625-0x0000000007A90000-0x0000000007AAE000-memory.dmp

Filesize
120KB

Download
memory/5668-643-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/5668-614-0x0000000007A50000-0x0000000007A84000-memory.dmp

Filesize
208KB

Download
memory/5668-574-0x0000000005BB0000-0x0000000005BD2000-memory.dmp

Filesize
136KB

Download
memory/5668-669-0x0000000007EA0000-0x0000000007F36000-memory.dmp

Filesize
600KB

Download
memory/5668-616-0x000000006B9D0000-0x000000006BD27000-memory.dmp

Filesize
3.3MB

Download
memory/5668-626-0x0000000007AB0000-0x0000000007B54000-memory.dmp

Filesize
656KB

Download
memory/5668-569-0x00000000033B0000-0x00000000033E6000-memory.dmp

Filesize
216KB

Download
memory/5668-575-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/5668-660-0x0000000007C80000-0x0000000007C8A000-memory.dmp

Filesize
40KB

Download
memory/5668-571-0x0000000005C70000-0x000000000629A000-memory.dmp

Filesize
6.2MB

Download
memory/5692-847-0x000000006EB60000-0x000000006EEB7000-memory.dmp

Filesize
3.3MB

Download
memory/5692-846-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/5768-781-0x0000000006CB0000-0x0000000006D54000-memory.dmp

Filesize
656KB

Download
memory/5768-807-0x0000000006FB0000-0x0000000006FC1000-memory.dmp

Filesize
68KB

Download
memory/5768-771-0x0000000073250000-0x000000007329C000-memory.dmp

Filesize
304KB

Download
memory/5768-772-0x000000006EB60000-0x000000006EEB7000-memory.dmp

Filesize
3.3MB

Download
memory/5768-763-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/5768-751-0x0000000005550000-0x00000000058A7000-memory.dmp

Filesize
3.3MB

Download
memory/6052-588-0x00007FFBA4280000-0x00007FFBA4489000-memory.dmp

Filesize
2.0MB

Download
memory/6052-586-0x000000006B850000-0x000000006B9CD000-memory.dmp

Filesize
1.5MB

Download
memory/6052-753-0x000000006B850000-0x000000006B9CD000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads