amadey | 58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95

Analysis

max time kernel
97s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
Size

1.8MB
MD5

b58b104a152d137cbc5a54e512e0a619
SHA1

2423476e7ddb317aada8333e1df3a9147fc47afb
SHA256

58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95
SHA512

555ec8b4e10d10f59312ee75fda9887289371dd2c76bce73cd1ddd3b255656026eb19be48e6a96cbad32692f3ba9cfe8dc70b1274e56f921aed5e8cf1aed4851
SSDEEP

49152:ZBhihuT0bl8RvdaicYcVeZ52UPJsxMWZ3BOe296F0y:ZehuT0Z8NxlcVeZgUBsxHROe29o

Score

10^/10

amadey monster redline 06-20-24 e76b71 newbild discovery evasion execution infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

06-20-24

91.92.255.143:45786

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000177fe-294.dat	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015cb2-25.dat	family_redline
behavioral1/memory/632-34-0x0000000000DF0000-0x0000000000E40000-memory.dmp	family_redline
behavioral1/files/0x00060000000186e0-605.dat	family_redline
behavioral1/memory/2612-615-0x0000000000230000-0x0000000000280000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe

Executes dropped EXE 27 IoCs

pid	Process
2620	axplong.exe
632	redline123123.exe
1112	upd.exe
2292	deep.exe
2380	da_protected.exe
2060	gold.exe
1936	lummac2.exe
1744	drivermanager.exe
2396	NewLatest.exe
472	Hkbsse.exe
1208	monster.exe
976	stub.exe
1716	legs.exe
884	0x3fg.exe
1612	Hkbsse.exe
1880	uYtF.exe
2612	utyj.exe
2020	serieta.exe
1540	natura.exe
840	nautr.exe
288	Notepad.exe
752	Notepad.exe
1284	Process not Found
464	Process not Found
1092	wfbrmcwrltkl.exe
2756	etuamactyjne.exe
1632	pseaptzkxyms.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Wine	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Wine	axplong.exe

Loads dropped DLL 47 IoCs

pid	Process
2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
2620	axplong.exe
2620	axplong.exe
2620	axplong.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2620	axplong.exe
2292	deep.exe
2292	deep.exe
2292	deep.exe
2292	deep.exe
2620	axplong.exe
704	WerFault.exe
704	WerFault.exe
704	WerFault.exe
2620	axplong.exe
2620	axplong.exe
2620	axplong.exe
2620	axplong.exe
2396	NewLatest.exe
2620	axplong.exe
1208	monster.exe
976	stub.exe
2620	axplong.exe
236	WerFault.exe
236	WerFault.exe
236	WerFault.exe
2620	axplong.exe
884	0x3fg.exe
1612	Hkbsse.exe
1612	Hkbsse.exe
1612	Hkbsse.exe
1612	Hkbsse.exe
2020	serieta.exe
2020	serieta.exe
2020	serieta.exe
2020	serieta.exe
2020	serieta.exe
288	Notepad.exe
752	Notepad.exe
1284	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000016cdc-72.dat	themida
behavioral1/memory/2380-237-0x00000000009A0000-0x00000000012F8000-memory.dmp	themida
behavioral1/memory/2380-238-0x00000000009A0000-0x00000000012F8000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\uYtF.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000001000\\uYtF.exe"	Hkbsse.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\serieta.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\serieta.exe"	Hkbsse.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	da_protected.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1076	powercfg.exe
1936	powercfg.exe
2952	powercfg.exe
1828	powercfg.exe
2432	powercfg.exe
1888	powercfg.exe
2916	powercfg.exe
1100	powercfg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
2620	axplong.exe
2380	da_protected.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 2100	1744	drivermanager.exe	44
PID 1092 set thread context of 2200	1092	wfbrmcwrltkl.exe	87
PID 2756 set thread context of 2812	2756	etuamactyjne.exe	98
PID 2756 set thread context of 1984	2756	etuamactyjne.exe	99
PID 1632 set thread context of 980	1632	pseaptzkxyms.exe	109

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2836	sc.exe
1604	sc.exe
2764	sc.exe
2192	sc.exe
2848	sc.exe
1216	sc.exe
2428	sc.exe
1096	sc.exe
872	sc.exe
2884	sc.exe
1664	sc.exe
2752	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2156	1112	WerFault.exe	32
704	2060	WerFault.exe	39
236	1716	WerFault.exe	51

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
2620	axplong.exe
632	redline123123.exe
2612	utyj.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1880	uYtF.exe
1092	wfbrmcwrltkl.exe
1092	wfbrmcwrltkl.exe
1092	wfbrmcwrltkl.exe
1092	wfbrmcwrltkl.exe
1092	wfbrmcwrltkl.exe
1540	natura.exe
1540	natura.exe
1540	natura.exe
1540	natura.exe
2756	etuamactyjne.exe
2756	etuamactyjne.exe
840	nautr.exe
840	nautr.exe
840	nautr.exe
840	nautr.exe
1632	pseaptzkxyms.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	redline123123.exe
Token: SeDebugPrivilege	1744	drivermanager.exe
Token: SeDebugPrivilege	2380	da_protected.exe
Token: SeDebugPrivilege	2612	utyj.exe
Token: SeShutdownPrivilege	2916	powercfg.exe
Token: SeShutdownPrivilege	1100	powercfg.exe
Token: SeShutdownPrivilege	1076	powercfg.exe
Token: SeShutdownPrivilege	1936	powercfg.exe
Token: SeShutdownPrivilege	1828	powercfg.exe
Token: SeShutdownPrivilege	2952	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeShutdownPrivilege	1888	powercfg.exe
Token: SeLockMemoryPrivilege	2200	explorer.exe
Token: SeLockMemoryPrivilege	1984	conhost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
2396	NewLatest.exe
884	0x3fg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2620	2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe	28
PID 2388 wrote to memory of 2620	2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe	28
PID 2388 wrote to memory of 2620	2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe	28
PID 2388 wrote to memory of 2620	2388	58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe	28
PID 2620 wrote to memory of 632	2620	axplong.exe	31
PID 2620 wrote to memory of 632	2620	axplong.exe	31
PID 2620 wrote to memory of 632	2620	axplong.exe	31
PID 2620 wrote to memory of 632	2620	axplong.exe	31
PID 2620 wrote to memory of 1112	2620	axplong.exe	32
PID 2620 wrote to memory of 1112	2620	axplong.exe	32
PID 2620 wrote to memory of 1112	2620	axplong.exe	32
PID 2620 wrote to memory of 1112	2620	axplong.exe	32
PID 1112 wrote to memory of 2156	1112	upd.exe	34
PID 1112 wrote to memory of 2156	1112	upd.exe	34
PID 1112 wrote to memory of 2156	1112	upd.exe	34
PID 1112 wrote to memory of 2156	1112	upd.exe	34
PID 2620 wrote to memory of 2292	2620	axplong.exe	36
PID 2620 wrote to memory of 2292	2620	axplong.exe	36
PID 2620 wrote to memory of 2292	2620	axplong.exe	36
PID 2620 wrote to memory of 2292	2620	axplong.exe	36
PID 2292 wrote to memory of 2380	2292	deep.exe	38
PID 2292 wrote to memory of 2380	2292	deep.exe	38
PID 2292 wrote to memory of 2380	2292	deep.exe	38
PID 2292 wrote to memory of 2380	2292	deep.exe	38
PID 2620 wrote to memory of 2060	2620	axplong.exe	39
PID 2620 wrote to memory of 2060	2620	axplong.exe	39
PID 2620 wrote to memory of 2060	2620	axplong.exe	39
PID 2620 wrote to memory of 2060	2620	axplong.exe	39
PID 2060 wrote to memory of 704	2060	gold.exe	40
PID 2060 wrote to memory of 704	2060	gold.exe	40
PID 2060 wrote to memory of 704	2060	gold.exe	40
PID 2060 wrote to memory of 704	2060	gold.exe	40
PID 2620 wrote to memory of 1936	2620	axplong.exe	41
PID 2620 wrote to memory of 1936	2620	axplong.exe	41
PID 2620 wrote to memory of 1936	2620	axplong.exe	41
PID 2620 wrote to memory of 1936	2620	axplong.exe	41
PID 2620 wrote to memory of 1744	2620	axplong.exe	42
PID 2620 wrote to memory of 1744	2620	axplong.exe	42
PID 2620 wrote to memory of 1744	2620	axplong.exe	42
PID 2620 wrote to memory of 1744	2620	axplong.exe	42
PID 2620 wrote to memory of 2396	2620	axplong.exe	43
PID 2620 wrote to memory of 2396	2620	axplong.exe	43
PID 2620 wrote to memory of 2396	2620	axplong.exe	43
PID 2620 wrote to memory of 2396	2620	axplong.exe	43
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 1744 wrote to memory of 2100	1744	drivermanager.exe	44
PID 2396 wrote to memory of 472	2396	NewLatest.exe	47
PID 2396 wrote to memory of 472	2396	NewLatest.exe	47
PID 2396 wrote to memory of 472	2396	NewLatest.exe	47
PID 2396 wrote to memory of 472	2396	NewLatest.exe	47
PID 2620 wrote to memory of 1208	2620	axplong.exe	49
PID 2620 wrote to memory of 1208	2620	axplong.exe	49
PID 2620 wrote to memory of 1208	2620	axplong.exe	49
PID 2620 wrote to memory of 1208	2620	axplong.exe	49
PID 1208 wrote to memory of 976	1208	monster.exe	50
PID 1208 wrote to memory of 976	1208	monster.exe	50

C:\Users\Admin\AppData\Local\Temp\58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe
"C:\Users\Admin\AppData\Local\Temp\58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
    "C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:2156
- - C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe
    "C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\da_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 84
      4⤵
      Loads dropped DLL
      Program crash
      PID:704
- - C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
    "C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
    "C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      PID:472
- - C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
    "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1208_133634799989310000\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:976
- - C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
    "C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
    3⤵
    - Executes dropped EXE
    PID:1716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 64
      4⤵
      Loads dropped DLL
      Program crash
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe
    "C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1612
    - - C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
        
        "C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "xjuumoinznsp"
        6⤵
        Launches sc.exe
        
        PID:2848
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:1216
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:2428
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "xjuumoinznsp"
        6⤵
        Launches sc.exe
        
        PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\natura.exe
        
        "C:\Users\Admin\AppData\Local\Temp\natura.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "HJUWGNAT"
        7⤵
        Launches sc.exe
        
        PID:1664
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "HJUWGNAT" binpath= "C:\ProgramData\agmxykvocxft\etuamactyjne.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2752
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:1096
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "HJUWGNAT"
        7⤵
        Launches sc.exe
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\nautr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nautr.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OYGYWFTH"
        7⤵
        Launches sc.exe
        
        PID:1604
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OYGYWFTH" binpath= "C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2764
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:2192
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OYGYWFTH"
        7⤵
        Launches sc.exe
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\Notepad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\Notepad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:752

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1092
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

C:\ProgramData\agmxykvocxft\etuamactyjne.exe
C:\ProgramData\agmxykvocxft\etuamactyjne.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2756
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2812
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1632
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe

Filesize
297KB

MD5
f135803381618638b68506450fca1797

SHA1
c2311e46f1deb8213cb155ff8a68fac30eb6766c

SHA256
bf38a350365e6dc02b2b906e330c8cea297a1ad89e752c50b4a0a201e79a7600

SHA512
8266101235e6d3d0ee7b1d80cf504b66efa25a3ad9e147d2ece9cf8c60334d9329bf4d56d04ef34913fd2425334bc2e3419cad97cb8118ae5a406fcb410b8e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe

Filesize
12.1MB

MD5
448effb3d85fb89c7f190cb99ffa73fc

SHA1
cbbb99017a213a46791ce3712f1297ba4a1ae72a

SHA256
f8c91e7edae8c63c29dd51becb5c806305c83cf19bc576401a6802f3cd4aed66

SHA512
026d5af0234d577dbc505a90fbedd6ce90a216ca557e527e0b3f66c00474ec8dac6bffd3a3ad6211ecee02ff557e99aa01d97b9626b73f4ced5ee78241461c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe

Filesize
297KB

MD5
0efd5136528869a8ea1a37c5059d706e

SHA1
3593bec29dbfd333a5a3a4ad2485a94982bbf713

SHA256
7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e

SHA512
4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe

Filesize
1.7MB

MD5
e8a7d0c6dedce0d4a403908a29273d43

SHA1
8289c35dabaee32f61c74de6a4e8308dc98eb075

SHA256
672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a

SHA512
c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe

Filesize
3.6MB

MD5
864d1a4e41a56c8f2e7e7eec89a47638

SHA1
1f2cb906b92a945c7346c7139c7722230005c394

SHA256
1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8

SHA512
547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe

Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe

Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe

Filesize
10.7MB

MD5
3f4f5c57433724a32b7498b6a2c91bf0

SHA1
04757ff666e1afa31679dd6bed4ed3af671332a3

SHA256
0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

SHA512
cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe

Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe

Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13D1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\natura.exe

Filesize
2.5MB

MD5
c4632a10a964a334e4c4c252283a4256

SHA1
8538000e2e116045f9698e41f9fe1b28eaf86e00

SHA256
a665723cd4b03528486a8128548d7fe825f2ff2e91e9d773ae2d5edb0bdaa8bd

SHA512
947cc709af9b0497dd80ea1c777c7c113f6c0e958aa34847b4b64edbdbe49af11c17e3cc68cbc3e1b86dd0f961f35b0cda12ee95c3e29866fbf5a57aa2f62a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nautr.exe

Filesize
2.5MB

MD5
e0df3f75617bc94f9094d476a2a55ff0

SHA1
6b66cdb4dbe1f05e53d0e0e34b3e2d71b0098e00

SHA256
dd483c5a9e8d886f4189b170cca29d0074352c2d1ee45525d6574e35677a4548

SHA512
099d539cf6548c3421ec1eda1124e5b97dbdaa465d48d1945ddb87bd899d74aaa2e2a1ec9f0743088b05ad48583480c73f368624c9d27e85a4a533eb928f2729

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1208_133634799989310000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe

Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Windows\Tasks\Hkbsse.job

Filesize
266B

MD5
ba1500e9f3502ea478a5d76ea5326ac5

SHA1
1534ce179ad278ecd44d0efd9f4490a0949b0bdc

SHA256
0bc4b73ae325ff8a0041c7d706416e0e1d3643934fa1d8ffe5e7dd03d4fd5436

SHA512
d23e1799af4c3612768905277accd2f3d14771bfd1cf01213ab048dcabcf714e19961c61038bac30dc279c2f5a41f3e1d67063b141e785907d025b321e1f462f

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
1.8MB

MD5
b58b104a152d137cbc5a54e512e0a619

SHA1
2423476e7ddb317aada8333e1df3a9147fc47afb

SHA256
58464e44fa145d043279bd1d576323b9d7b5914a861703622cfacb5341447c95

SHA512
555ec8b4e10d10f59312ee75fda9887289371dd2c76bce73cd1ddd3b255656026eb19be48e6a96cbad32692f3ba9cfe8dc70b1274e56f921aed5e8cf1aed4851

Download Submit
\Users\Admin\AppData\Local\Temp\da_protected.exe

Filesize
3.2MB

MD5
3d21c714fbb98a6a3c72919928c9525c

SHA1
bf628293920b8f0418de008acc8f3506eaeff3cb

SHA256
811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c

SHA512
3b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1208_133634799989310000\stub.exe

Filesize
18.0MB

MD5
ed9d600d2e640eaa1c915dc516da9988

SHA1
9c10629bc0255009434e64deaee5b898fc3711e2

SHA256
2b8a2a3c53a019ca674287e1513a8e0851f2181699e37f385541537801ed1d41

SHA512
9001454bfabf2d9621ad997726aad281638c4b2e8dc134994f479d391bae91c5d0aa24317e85e8e91956cc34357e1ed9d6682f2fe9a023d74b003a420325db68

Download Submit
memory/632-34-0x0000000000DF0000-0x0000000000E40000-memory.dmp

Filesize
320KB

Download
memory/1112-51-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1744-197-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-171-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-132-0x0000000000FD0000-0x000000000136C000-memory.dmp

Filesize
3.6MB

Download
memory/1744-133-0x0000000005060000-0x0000000005166000-memory.dmp

Filesize
1.0MB

Download
memory/1744-148-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-146-0x0000000005170000-0x000000000525C000-memory.dmp

Filesize
944KB

Download
memory/1744-147-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/1744-151-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-159-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-169-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-173-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-181-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-193-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-205-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-149-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-203-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-201-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-199-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-195-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-191-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-189-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-187-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-185-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-183-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-179-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-177-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-175-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-153-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-167-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-165-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-163-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-161-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-157-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/1744-155-0x0000000000570000-0x0000000000585000-memory.dmp

Filesize
84KB

Download
memory/2380-238-0x00000000009A0000-0x00000000012F8000-memory.dmp

Filesize
9.3MB

Download
memory/2380-435-0x00000000009A0000-0x00000000012F8000-memory.dmp

Filesize
9.3MB

Download
memory/2380-102-0x00000000009A0000-0x00000000012F8000-memory.dmp

Filesize
9.3MB

Download
memory/2380-237-0x00000000009A0000-0x00000000012F8000-memory.dmp

Filesize
9.3MB

Download
memory/2388-5-0x00000000009D0000-0x0000000000E87000-memory.dmp

Filesize
4.7MB

Download
memory/2388-15-0x00000000009D0000-0x0000000000E87000-memory.dmp

Filesize
4.7MB

Download
memory/2388-1-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/2388-2-0x00000000009D1000-0x00000000009FF000-memory.dmp

Filesize
184KB

Download
memory/2388-3-0x00000000009D0000-0x0000000000E87000-memory.dmp

Filesize
4.7MB

Download
memory/2388-0-0x00000000009D0000-0x0000000000E87000-memory.dmp

Filesize
4.7MB

Download
memory/2612-615-0x0000000000230000-0x0000000000280000-memory.dmp

Filesize
320KB

Download
memory/2620-41-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-17-0x0000000000D31000-0x0000000000D5F000-memory.dmp

Filesize
184KB

Download
memory/2620-16-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-18-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-103-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-20-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-97-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-55-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/2620-90-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download