Analysis
-
max time kernel
30s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
Resource
win10v2004-20240802-en
General
-
Target
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe
-
Size
1.8MB
-
MD5
6a87310841f87d194c991b1ce0f7b998
-
SHA1
38f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8
-
SHA256
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d
-
SHA512
c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f
-
SSDEEP
49152:JcL+RbKLsCpsKOn/qGhmaDdh0Nvm1b/T9O:A+RYjLqoaDAvm1r5O
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
185.215.113.67:21405
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
BUY TG @FATHEROFCARDERS
45.66.231.214:9932
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe family_redline behavioral1/memory/2320-102-0x0000000001170000-0x00000000011C2000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe family_redline behavioral1/memory/1368-195-0x0000000000FE0000-0x0000000001032000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Beijing.pifdescription pid process target process PID 2808 created 1208 2808 Beijing.pif Explorer.EXE PID 2808 created 1208 2808 Beijing.pif Explorer.EXE -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
axplong.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe -
Executes dropped EXE 10 IoCs
Processes:
axplong.exeGOLD.execrypteda.exenewalp.exeHkbsse.exe06082025.exestealc_default.exeruntime.exeMYNEWRDX.exeBeijing.pifpid process 2732 axplong.exe 2576 GOLD.exe 3016 crypteda.exe 2412 newalp.exe 1684 Hkbsse.exe 2320 06082025.exe 2084 stealc_default.exe 3032 runtime.exe 1368 MYNEWRDX.exe 2808 Beijing.pif -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine axplong.exe -
Loads dropped DLL 21 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeWerFault.exenewalp.exeWerFault.execmd.exestealc_default.exepid process 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 2732 axplong.exe 2732 axplong.exe 2628 WerFault.exe 2628 WerFault.exe 2628 WerFault.exe 2732 axplong.exe 2732 axplong.exe 2732 axplong.exe 2412 newalp.exe 2732 axplong.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 2732 axplong.exe 2732 axplong.exe 2732 axplong.exe 2732 axplong.exe 2972 cmd.exe 2084 stealc_default.exe 2084 stealc_default.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2712 tasklist.exe 2300 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exepid process 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 2732 axplong.exe -
Drops file in Windows directory 9 IoCs
Processes:
runtime.exenewalp.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exedescription ioc process File opened for modification C:\Windows\ExplorerProprietary runtime.exe File created C:\Windows\Tasks\Hkbsse.job newalp.exe File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\SysOrleans runtime.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File created C:\Windows\Tasks\axplong.job 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe File opened for modification C:\Windows\ChestAntique runtime.exe File opened for modification C:\Windows\TreeProfessor runtime.exe File opened for modification C:\Windows\ConfiguringUps runtime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2628 2576 WerFault.exe GOLD.exe 904 3016 WerFault.exe crypteda.exe -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exefindstr.exefindstr.exeaxplong.exeGOLD.exe06082025.exestealc_default.exeBeijing.pifchoice.execmd.exeschtasks.exe1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exenewalp.execrypteda.exetasklist.execmd.exefindstr.execmd.execmd.exeHkbsse.exeruntime.exeMYNEWRDX.exetasklist.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beijing.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language newalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runtime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MYNEWRDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
stealc_default.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exestealc_default.exeBeijing.pifpid process 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 2732 axplong.exe 2084 stealc_default.exe 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif 2084 stealc_default.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2300 tasklist.exe Token: SeDebugPrivilege 2712 tasklist.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exenewalp.exeBeijing.pifpid process 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe 2412 newalp.exe 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Beijing.pifpid process 2808 Beijing.pif 2808 Beijing.pif 2808 Beijing.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exeaxplong.exeGOLD.exenewalp.execrypteda.exeruntime.execmd.exedescription pid process target process PID 2488 wrote to memory of 2732 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 2488 wrote to memory of 2732 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 2488 wrote to memory of 2732 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 2488 wrote to memory of 2732 2488 1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe axplong.exe PID 2732 wrote to memory of 2576 2732 axplong.exe GOLD.exe PID 2732 wrote to memory of 2576 2732 axplong.exe GOLD.exe PID 2732 wrote to memory of 2576 2732 axplong.exe GOLD.exe PID 2732 wrote to memory of 2576 2732 axplong.exe GOLD.exe PID 2576 wrote to memory of 2628 2576 GOLD.exe WerFault.exe PID 2576 wrote to memory of 2628 2576 GOLD.exe WerFault.exe PID 2576 wrote to memory of 2628 2576 GOLD.exe WerFault.exe PID 2576 wrote to memory of 2628 2576 GOLD.exe WerFault.exe PID 2732 wrote to memory of 3016 2732 axplong.exe crypteda.exe PID 2732 wrote to memory of 3016 2732 axplong.exe crypteda.exe PID 2732 wrote to memory of 3016 2732 axplong.exe crypteda.exe PID 2732 wrote to memory of 3016 2732 axplong.exe crypteda.exe PID 2732 wrote to memory of 2412 2732 axplong.exe newalp.exe PID 2732 wrote to memory of 2412 2732 axplong.exe newalp.exe PID 2732 wrote to memory of 2412 2732 axplong.exe newalp.exe PID 2732 wrote to memory of 2412 2732 axplong.exe newalp.exe PID 2412 wrote to memory of 1684 2412 newalp.exe Hkbsse.exe PID 2412 wrote to memory of 1684 2412 newalp.exe Hkbsse.exe PID 2412 wrote to memory of 1684 2412 newalp.exe Hkbsse.exe PID 2412 wrote to memory of 1684 2412 newalp.exe Hkbsse.exe PID 2732 wrote to memory of 2320 2732 axplong.exe 06082025.exe PID 2732 wrote to memory of 2320 2732 axplong.exe 06082025.exe PID 2732 wrote to memory of 2320 2732 axplong.exe 06082025.exe PID 2732 wrote to memory of 2320 2732 axplong.exe 06082025.exe PID 3016 wrote to memory of 904 3016 crypteda.exe WerFault.exe PID 3016 wrote to memory of 904 3016 crypteda.exe WerFault.exe PID 3016 wrote to memory of 904 3016 crypteda.exe WerFault.exe PID 3016 wrote to memory of 904 3016 crypteda.exe WerFault.exe PID 2732 wrote to memory of 2084 2732 axplong.exe stealc_default.exe PID 2732 wrote to memory of 2084 2732 axplong.exe stealc_default.exe PID 2732 wrote to memory of 2084 2732 axplong.exe stealc_default.exe PID 2732 wrote to memory of 2084 2732 axplong.exe stealc_default.exe PID 2732 wrote to memory of 3032 2732 axplong.exe runtime.exe PID 2732 wrote to memory of 3032 2732 axplong.exe runtime.exe PID 2732 wrote to memory of 3032 2732 axplong.exe runtime.exe PID 2732 wrote to memory of 3032 2732 axplong.exe runtime.exe PID 3032 wrote to memory of 2972 3032 runtime.exe cmd.exe PID 3032 wrote to memory of 2972 3032 runtime.exe cmd.exe PID 3032 wrote to memory of 2972 3032 runtime.exe cmd.exe PID 3032 wrote to memory of 2972 3032 runtime.exe cmd.exe PID 2732 wrote to memory of 1368 2732 axplong.exe MYNEWRDX.exe PID 2732 wrote to memory of 1368 2732 axplong.exe MYNEWRDX.exe PID 2732 wrote to memory of 1368 2732 axplong.exe MYNEWRDX.exe PID 2732 wrote to memory of 1368 2732 axplong.exe MYNEWRDX.exe PID 2972 wrote to memory of 2300 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2300 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2300 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2300 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2324 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2324 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2324 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2324 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2712 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2712 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2712 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2712 2972 cmd.exe tasklist.exe PID 2972 wrote to memory of 2676 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2676 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2676 2972 cmd.exe findstr.exe PID 2972 wrote to memory of 2676 2972 cmd.exe findstr.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"C:\Users\Admin\AppData\Local\Temp\1bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 645⤵
- Loads dropped DLL
- Program crash
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 645⤵
- Loads dropped DLL
- Program crash
PID:904 -
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000110001\runtime.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\findstr.exefindstr /V "HopeBuildersGeniusIslam" Sonic6⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1568 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1548
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
954KB
MD5e71c0c5d72455dde6510ba23552d7d2f
SHA14dff851c07a9f9ebc9e71b7f675cc20b06a2439c
SHA256de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f
SHA512c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
416KB
MD56093bb59e7707afe20ca2d9b80327b49
SHA1fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc
SHA2563acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3
SHA512d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1
-
Filesize
304KB
MD50d76d08b0f0a404604e7de4d28010abc
SHA1ef4270c06b84b0d43372c5827c807641a41f2374
SHA2566dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e
SHA512979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
1.1MB
MD57adfc6a2e7a5daa59d291b6e434a59f3
SHA1e21ef8be7b78912bed36121404270e5597a3fe25
SHA256fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA51230f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b
-
Filesize
304KB
MD50f02da56dab4bc19fca05d6d93e74dcf
SHA1a809c7e9c3136b8030727f128004aa2c31edc7a9
SHA256e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379
SHA512522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
554KB
MD530ab54ae1c615436d881fc336c264fef
SHA17e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA5121af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9
-
Filesize
1.8MB
MD56a87310841f87d194c991b1ce0f7b998
SHA138f5b601fb4f0d7cf1f53a10682c1a6c53cf2ce8
SHA2561bca90670ea01a05472c06449066d4a8ba53619a22b1ab993efe27e7326d0f9d
SHA512c838f2d581953465bc93dd1481f3370e91c7e7c567243e5410159060a7662dcd3fb1900fa945a76b829f77cc6df70076f6bc33e58794c51a06651c0216762c2f
-
Filesize
31KB
MD56184a8fc79d602bc18c0badb08598580
SHA1de3a273e7020d43729044e41272c301118cc3641
SHA256a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA51241687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb
-
Filesize
14KB
MD52226738a67da04cef580c99f70b9a514
SHA148bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08
-
Filesize
871KB
MD57eb7312237cf8653a876136046ce8b3e
SHA1250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699
-
Filesize
89KB
MD530a3ed3849e36b4c26a02cf030ea985a
SHA1d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA2566d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d
-
Filesize
98KB
MD597dd60ac57e3f1873f3120688d47cd3d
SHA1e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a
-
Filesize
76KB
MD5b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA25608e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA5127a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2
-
Filesize
86KB
MD50c3f23378f256b116fca366d08dbd146
SHA1c6c92667dea09b7a4b2b00193ee043278854db1e
SHA2565defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA5120db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3
-
Filesize
982B
MD51b5bba21607d9a9c3293ff564ecf4f1a
SHA1de790d57fbfae12e649bf65fd9695e36a266696a
SHA256fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a
-
Filesize
55KB
MD50e16cafd2403c552149e325d90637d12
SHA1efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA25693ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA5120251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec
-
Filesize
56KB
MD50e70f873cb8f5615dd364325b714895a
SHA1089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA2564734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4
-
Filesize
63KB
MD551143491656ae2ee983d709c45a41861
SHA11cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571