Analysis Overview
SHA256
5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d
Threat Level: Known bad
The file setup.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
RedLine payload
Detects Monster Stealer.
Amadey
Monster
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Themida packer
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Identifies Wine through registry keys
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks installed software on the system
Adds Run key to start application
Power Settings
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 22:30
Reported
2024-06-21 22:32
Platform
win7-20240221-en
Max time kernel
75s
Max time network
149s
Command Line
Signatures
Amadey
AsyncRat
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\uYtF.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000001000\\uYtF.exe" | C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\serieta.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\serieta.exe" | C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1780 set thread context of 2680 | N/A | C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe | C:\Windows\explorer.exe |
| PID 1536 set thread context of 1300 | N/A | C:\ProgramData\agmxykvocxft\etuamactyjne.exe | C:\Windows\system32\conhost.exe |
| PID 1536 set thread context of 2420 | N/A | C:\ProgramData\agmxykvocxft\etuamactyjne.exe | C:\Windows\system32\conhost.exe |
| PID 2996 set thread context of 2572 | N/A | C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe | C:\Windows\system32\conhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\%tepm%\t_protected.exe | C:\Users\Admin\AppData\Local\Temp\wdpddb.exe | N/A |
| File opened for modification | C:\Program Files (x86)\%tepm% | C:\Users\Admin\AppData\Local\Temp\wdpddb.exe | N/A |
| File created | C:\Program Files (x86)\%tepm%\__tmp_rar_sfx_access_check_259446775 | C:\Users\Admin\AppData\Local\Temp\wdpddb.exe | N/A |
| File created | C:\Program Files (x86)\%tepm%\t_protected.exe | C:\Users\Admin\AppData\Local\Temp\wdpddb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da_protected.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\%tepm%\t_protected.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe"
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 52
C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe"
C:\Users\Admin\AppData\Local\Temp\da_protected.exe
"C:\Users\Admin\AppData\Local\Temp\da_protected.exe"
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 84
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe"
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1112_133634826351904000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe"
C:\Users\Admin\AppData\Local\Temp\wdpddb.exe
"C:\Users\Admin\AppData\Local\Temp\wdpddb.exe"
C:\Program Files (x86)\%tepm%\t_protected.exe
"C:\Program Files (x86)\%tepm%\t_protected.exe"
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 64
C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe
"C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe"
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
"C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe"
C:\Users\Admin\AppData\Local\Temp\natura.exe
"C:\Users\Admin\AppData\Local\Temp\natura.exe"
C:\Users\Admin\AppData\Local\Temp\nautr.exe
"C:\Users\Admin\AppData\Local\Temp\nautr.exe"
C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "xjuumoinznsp"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "xjuumoinznsp"
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HJUWGNAT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HJUWGNAT" binpath= "C:\ProgramData\agmxykvocxft\etuamactyjne.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HJUWGNAT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OYGYWFTH"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OYGYWFTH" binpath= "C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe" start= "auto"
C:\ProgramData\agmxykvocxft\etuamactyjne.exe
C:\ProgramData\agmxykvocxft\etuamactyjne.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OYGYWFTH"
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
Network
| Country | Destination | Domain | Proto |
| DE | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| DE | 185.172.128.116:80 | 185.172.128.116 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| RU | 195.2.71.70:7050 | tcp | |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | movlat.com | udp |
| KR | 211.171.233.129:80 | movlat.com | tcp |
| US | 8.8.8.8:53 | llcbc.org | udp |
| DE | 91.195.240.101:80 | llcbc.org | tcp |
| US | 8.8.8.8:53 | lindex24.ru | udp |
| US | 8.8.8.8:53 | qeqei.xyz | udp |
| RU | 94.228.166.74:80 | 94.228.166.74 | tcp |
| US | 8.8.8.8:53 | o7labs.top | udp |
| RU | 94.228.166.74:80 | o7labs.top | tcp |
| RU | 94.228.166.74:80 | o7labs.top | tcp |
| RU | 95.142.46.3:7000 | tcp | |
| NL | 91.92.255.143:45786 | tcp | |
| NL | 91.92.242.179:80 | 91.92.242.179 | tcp |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 95.142.46.3:4449 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| RU | 95.142.46.3:4449 | tcp | |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| CH | 141.94.96.71:3333 | pool.supportxmr.com | tcp |
| RU | 95.142.46.3:4449 | tcp | |
| RU | 95.142.46.3:4449 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:4449 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp | |
| RU | 95.142.46.3:7000 | tcp |
Files
memory/2128-0-0x0000000000E40000-0x00000000012F5000-memory.dmp
memory/2128-1-0x0000000077260000-0x0000000077262000-memory.dmp
memory/2128-2-0x0000000000E41000-0x0000000000E6F000-memory.dmp
memory/2128-3-0x0000000000E40000-0x00000000012F5000-memory.dmp
memory/2128-5-0x0000000000E40000-0x00000000012F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
| MD5 | 0b3d97b11e440029d52b34ae6798cfbc |
| SHA1 | f6ec97cac5dd7fd597abc69befee89262b1d0ec1 |
| SHA256 | 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d |
| SHA512 | 2ec03b588aa23728734423e6619cbd541c768c28d5630f195a58eab08153f783f8a301adf8c68c72cde7dcf1a9823b09fa5135bd4f7ea1eee539d249d1ebfca7 |
memory/2128-15-0x0000000000E40000-0x00000000012F5000-memory.dmp
memory/2564-16-0x0000000000BE0000-0x0000000001095000-memory.dmp
memory/2564-17-0x0000000000BE0000-0x0000000001095000-memory.dmp
memory/2564-18-0x0000000000BE0000-0x0000000001095000-memory.dmp
memory/2564-20-0x0000000000BE0000-0x0000000001095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000007001\redline123123.exe
| MD5 | 0efd5136528869a8ea1a37c5059d706e |
| SHA1 | 3593bec29dbfd333a5a3a4ad2485a94982bbf713 |
| SHA256 | 7c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e |
| SHA512 | 4ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe |
memory/2508-35-0x0000000000800000-0x0000000000850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\upd.exe
| MD5 | e8a7d0c6dedce0d4a403908a29273d43 |
| SHA1 | 8289c35dabaee32f61c74de6a4e8308dc98eb075 |
| SHA256 | 672f24842aeb72d7bd8d64e78aaba5f3a953409ce21cfe97d3a80e7ef67f232a |
| SHA512 | c8bf2f42f7bcf6f6b752ba5165c57ee99d4b31d5ba48ce1c2651afdb8bc37a14f392253f3daa0e811116d11d4c9175dc55cfb1baac0c30a71a18e1df17e73770 |
memory/2812-52-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000025001\deep.exe
| MD5 | 864d1a4e41a56c8f2e7e7eec89a47638 |
| SHA1 | 1f2cb906b92a945c7346c7139c7722230005c394 |
| SHA256 | 1c733ad7ed4f89826d675196abcc3a6133bb8f67c69d56e5fcb601ad521ff9f8 |
| SHA512 | 547a441369636e2548c7f8f94c3972269e04d80ee5a26803cc222942b28e457be908126fb4ff6bfde2a063ea1ef74ecba2aaceb58c68fba5c4fddcea5fbd91d3 |
\Users\Admin\AppData\Local\Temp\da_protected.exe
| MD5 | 3d21c714fbb98a6a3c72919928c9525c |
| SHA1 | bf628293920b8f0418de008acc8f3506eaeff3cb |
| SHA256 | 811be420db2f390e60a291018126a8aa45c8c5182c050b13076c80d3f80d153c |
| SHA512 | 3b21fda899cf197a740dd4f2844c99c772a16ffe20581fe78e801c193f29714fbfa23843059ee34baf6176e71434f0ed7506d75de91b87348bcf9cc4b999575a |
memory/2956-84-0x0000000003E60000-0x00000000047B8000-memory.dmp
memory/492-88-0x0000000000C20000-0x0000000001578000-memory.dmp
memory/2956-86-0x0000000003E60000-0x00000000047B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
| MD5 | 70a578f7f58456e475facd69469cf20a |
| SHA1 | 83e147e7ba01fa074b2f046b65978f838f7b1e8e |
| SHA256 | 5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a |
| SHA512 | 707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0 |
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
| MD5 | 6e3d83935c7a0810f75dfa9badc3f199 |
| SHA1 | 9f7d7c0ea662bcdca9b0cda928dc339f06ef0730 |
| SHA256 | dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed |
| SHA512 | 9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9 |
memory/2564-121-0x0000000000BE0000-0x0000000001095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000063001\drivermanager.exe
| MD5 | c28a2d0a008788b49690b333d501e3f3 |
| SHA1 | 6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4 |
| SHA256 | f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a |
| SHA512 | 455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788 |
memory/1720-136-0x0000000000990000-0x0000000000D2C000-memory.dmp
memory/1720-137-0x00000000022F0000-0x00000000023F6000-memory.dmp
memory/1720-189-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-199-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-197-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-195-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-193-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-191-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-187-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-185-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-183-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-181-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-179-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-177-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-175-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-173-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-171-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-169-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-167-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-165-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-163-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-161-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-159-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-157-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-155-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-153-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-151-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-149-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-147-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-145-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-143-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-141-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-140-0x0000000000540000-0x0000000000555000-memory.dmp
memory/1720-139-0x0000000000540000-0x000000000055C000-memory.dmp
memory/1720-138-0x0000000004650000-0x000000000473C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
| MD5 | 07101cac5b9477ba636cd8ca7b9932cb |
| SHA1 | 59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1 |
| SHA256 | 488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77 |
| SHA512 | 02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887 |
memory/492-229-0x0000000000C20000-0x0000000001578000-memory.dmp
memory/492-230-0x0000000000C20000-0x0000000001578000-memory.dmp
memory/2564-242-0x0000000000BE0000-0x0000000001095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000012001\1.exe
| MD5 | e0a475f2ac0e9c3dad905d8ce84f62cb |
| SHA1 | 6b789faafed3e4e2d318c9ec9300f9ba3c865374 |
| SHA256 | b59e52b83b0a0cde0085b3ba306316a86a845a974cbeaf45da905476b6db53bb |
| SHA512 | a23d30a9fc9d2560fe37b6d9ab334576e956412ca7841f63f051a54aa77a4e3bcf6b1b5e4e28304b06fde02028b20c6ff1297f750c4735281168164d3397cf46 |
memory/2564-261-0x0000000000BE0000-0x0000000001095000-memory.dmp
memory/2564-263-0x0000000000BE0000-0x0000000001095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\monster.exe
| MD5 | 3f4f5c57433724a32b7498b6a2c91bf0 |
| SHA1 | 04757ff666e1afa31679dd6bed4ed3af671332a3 |
| SHA256 | 0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665 |
| SHA512 | cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935 |
memory/2564-275-0x0000000000BE0000-0x0000000001095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1112_133634826351904000\stub.exe
| MD5 | ed9d600d2e640eaa1c915dc516da9988 |
| SHA1 | 9c10629bc0255009434e64deaee5b898fc3711e2 |
| SHA256 | 2b8a2a3c53a019ca674287e1513a8e0851f2181699e37f385541537801ed1d41 |
| SHA512 | 9001454bfabf2d9621ad997726aad281638c4b2e8dc134994f479d391bae91c5d0aa24317e85e8e91956cc34357e1ed9d6682f2fe9a023d74b003a420325db68 |
C:\Users\Admin\AppData\Local\Temp\onefile_1112_133634826351904000\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9D30.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2956-476-0x0000000003E60000-0x00000000047B8000-memory.dmp
memory/492-477-0x0000000000C20000-0x0000000001578000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wdpddb.exe
| MD5 | 0ce7f9d2494b190678628616a6e3dab4 |
| SHA1 | ef77a7fa1b654c0fdf93fca0d862365f05c6fd9f |
| SHA256 | 39bccc832b167ea6418f9c095f867e77ce8ba5c53f660758aaa9b8f86f07404f |
| SHA512 | 40ed2afbf64619babc0a4ceff66869b1a8790f1d7568a70230518f6cf96286f56f0ca8b7959c75bd570c5aff239e8bba7425346394c2e0a577d396c24546b887 |
\Program Files (x86)\%tepm%\t_protected.exe
| MD5 | 3749aab78d4fe372863ce1dbc98ff9b3 |
| SHA1 | a73c0b080499eb21a3df34f099e26980b3c21a08 |
| SHA256 | cd7fce0b350f192e68e533552837e6c8c63c4a8c6c6ef45f36c1e2427b10032a |
| SHA512 | 7f5cd37a4fbbd060c324c60f7e10fe7f874ed497e35a5d0eb75861069cd00f68abd10a7484853f9fb48f9ceb5e67a70818be9bca9a9488cad44a7ad3771f6b64 |
memory/1612-628-0x0000000003A50000-0x00000000043AC000-memory.dmp
memory/1612-627-0x0000000003A50000-0x00000000043AC000-memory.dmp
memory/1612-626-0x0000000003A50000-0x00000000043AC000-memory.dmp
memory/1612-625-0x0000000003A50000-0x00000000043AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
| MD5 | bbd06263062b2c536b5caacdd5f81b76 |
| SHA1 | c38352c1c08fb0fa5e67a079998ef30ebc962089 |
| SHA256 | 1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9 |
| SHA512 | 7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad |
C:\Users\Admin\AppData\Local\Temp\1000093001\0x3fg.exe
| MD5 | c4aeaafc0507785736e000ff7e823f5e |
| SHA1 | b1acdee835f02856985a822fe99921b097ed1519 |
| SHA256 | b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5 |
| SHA512 | fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d |
C:\Windows\Tasks\Hkbsse.job
| MD5 | 76bb73269b3462addc8d5fabc8e6f073 |
| SHA1 | 8b7d4a065c4533e74ae1ee4e0f977ebae61d0ff4 |
| SHA256 | 15ade665d7dc326d7208208faa599a2269270587b6c732968a4632f3b0cc5cde |
| SHA512 | 56be96de68230f07f518b670cdbc013508c3478d9e0af7c55faf4394a6584535a897706ffe5c2eb4bff748f81da3c437a6559e069f829d9b7b6d57003be655ba |
memory/296-669-0x00000000013D0000-0x0000000001D2C000-memory.dmp
memory/296-668-0x00000000013D0000-0x0000000001D2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
| MD5 | 4691a9fe21f8589b793ea16f0d1749f1 |
| SHA1 | 5c297f97142b7dad1c2d0c6223346bf7bcf2ea82 |
| SHA256 | 63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904 |
| SHA512 | ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386 |
C:\Users\Admin\AppData\Local\Temp\1000003001\utyj.exe
| MD5 | f135803381618638b68506450fca1797 |
| SHA1 | c2311e46f1deb8213cb155ff8a68fac30eb6766c |
| SHA256 | bf38a350365e6dc02b2b906e330c8cea297a1ad89e752c50b4a0a201e79a7600 |
| SHA512 | 8266101235e6d3d0ee7b1d80cf504b66efa25a3ad9e147d2ece9cf8c60334d9329bf4d56d04ef34913fd2425334bc2e3419cad97cb8118ae5a406fcb410b8e5d |
memory/2372-712-0x0000000000160000-0x00000000001B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\serieta.exe
| MD5 | 448effb3d85fb89c7f190cb99ffa73fc |
| SHA1 | cbbb99017a213a46791ce3712f1297ba4a1ae72a |
| SHA256 | f8c91e7edae8c63c29dd51becb5c806305c83cf19bc576401a6802f3cd4aed66 |
| SHA512 | 026d5af0234d577dbc505a90fbedd6ce90a216ca557e527e0b3f66c00474ec8dac6bffd3a3ad6211ecee02ff557e99aa01d97b9626b73f4ced5ee78241461c9c |
C:\Users\Admin\AppData\Local\Temp\natura.exe
| MD5 | c4632a10a964a334e4c4c252283a4256 |
| SHA1 | 8538000e2e116045f9698e41f9fe1b28eaf86e00 |
| SHA256 | a665723cd4b03528486a8128548d7fe825f2ff2e91e9d773ae2d5edb0bdaa8bd |
| SHA512 | 947cc709af9b0497dd80ea1c777c7c113f6c0e958aa34847b4b64edbdbe49af11c17e3cc68cbc3e1b86dd0f961f35b0cda12ee95c3e29866fbf5a57aa2f62a03 |
C:\Users\Admin\AppData\Local\Temp\nautr.exe
| MD5 | e0df3f75617bc94f9094d476a2a55ff0 |
| SHA1 | 6b66cdb4dbe1f05e53d0e0e34b3e2d71b0098e00 |
| SHA256 | dd483c5a9e8d886f4189b170cca29d0074352c2d1ee45525d6574e35677a4548 |
| SHA512 | 099d539cf6548c3421ec1eda1124e5b97dbdaa465d48d1945ddb87bd899d74aaa2e2a1ec9f0743088b05ad48583480c73f368624c9d27e85a4a533eb928f2729 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | d79ee19a6d66e7709e9deca3b2858742 |
| SHA1 | 4c2aaf4d5c4a43df44cd6360e1c4583c630baa33 |
| SHA256 | 7dade24cee3cb22b85de442e361e56ecfafdd6ed9e1347a7b37d7fb989d55c94 |
| SHA512 | 6e06b3017307b2d2070bb840ca4225dc1535ae554ea7fb838b9747f3a121796d03d39ca4b7c80e5ce304632b0d80a7a586a16061243febf3421c1a5de9c828a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 22:30
Reported
2024-06-21 22:32
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
51s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4324 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe |
| PID 4324 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe |
| PID 4324 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 77.91.77.81:80 | tcp | |
| DE | 77.91.77.81:80 | tcp |
Files
memory/4324-0-0x0000000000930000-0x0000000000DE5000-memory.dmp
memory/4324-1-0x0000000077D34000-0x0000000077D36000-memory.dmp
memory/4324-2-0x0000000000931000-0x000000000095F000-memory.dmp
memory/4324-3-0x0000000000930000-0x0000000000DE5000-memory.dmp
memory/4324-5-0x0000000000930000-0x0000000000DE5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
| MD5 | 0b3d97b11e440029d52b34ae6798cfbc |
| SHA1 | f6ec97cac5dd7fd597abc69befee89262b1d0ec1 |
| SHA256 | 5b225235d021e0bd9075a79ed7eeaa67e3a360ba9de6c4d2db3ee23026a26a2d |
| SHA512 | 2ec03b588aa23728734423e6619cbd541c768c28d5630f195a58eab08153f783f8a301adf8c68c72cde7dcf1a9823b09fa5135bd4f7ea1eee539d249d1ebfca7 |
memory/4884-16-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4324-18-0x0000000000930000-0x0000000000DE5000-memory.dmp
memory/4884-19-0x00000000000E1000-0x000000000010F000-memory.dmp
memory/4884-20-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-21-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-22-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-23-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-24-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-25-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-26-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-27-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/3940-29-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/3940-30-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/3940-31-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-32-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/3940-33-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-34-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-35-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-36-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-37-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-38-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4188-40-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4188-41-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-42-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-43-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-44-0x00000000000E0000-0x0000000000595000-memory.dmp
memory/4884-45-0x00000000000E0000-0x0000000000595000-memory.dmp