amadey | f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Size

1.8MB
MD5

49bd66a142af2a05acc3afd0763c6b6c
SHA1

9302395bc7a54c54211b9ed383fcb0f4a157677f
SHA256

f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5
SHA512

9ae73e2abd24a1b46a5191b6325c66cde3ae331158874b6d5ca9d99ef5e736bef178d678f695489c34ac0f950af55fa7d456fbcb28f170a48939b385ab8821d2
SSDEEP

24576:ceiuHyMT0Ruuj+U4qpX5KQYglwkuZCrmeJQ0ehKxkOKz6Dj7flNFUQHB4eTzMFlG:ceiuSMT0RRLFfcC+6DjxNiQHGoAFlG

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.163.21:29257

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

amadey

Version

4.41

Botnet

a51500

http://api.garageserviceoperation.com

Attributes

install_dir
0cf505a27f
install_file
ednfovi.exe
strings_key
0044a8b8e295529eaf3743c9bc3171d2
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

62.113.117.95:4449

Mutex

hwelcvbupaqfzors

Attributes

delay
10
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects Monster Stealer. 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000002ab05-441.dat	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/4408-44-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x000100000002aac2-113.dat	family_redline
behavioral2/memory/864-122-0x0000000000FD0000-0x0000000001022000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1704 created 3360	1704	Beijing.pif	53
PID 1704 created 3360	1704	Beijing.pif	53

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3148	netsh.exe
4544	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3636	cmd.exe
1028	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe

Executes dropped EXE 17 IoCs

pid	Process
1712	axplong.exe
2088	GOLD.exe
3112	crypteda.exe
668	qumRVIuRRA.exe
864	L1Y5EIIw95.exe
3372	setup2.exe
2628	stealc_default2.exe
2096	clcs.exe
2112	runtime.exe
1704	Beijing.pif
4644	axplong.exe
3480	Indentif.exe
1428	axplong.exe
932	5PHCENYBS068Y01.exe
4104	stub.exe
4988	SÐµtuÑ€111.exe
1056	xxxx.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine	axplong.exe

Loads dropped DLL 35 IoCs

pid	Process
2628	stealc_default2.exe
2628	stealc_default2.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe
4104	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
32	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3432	cmd.exe
4172	ARP.EXE

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4948	tasklist.exe
2756	tasklist.exe
3392	tasklist.exe
2876	tasklist.exe
2172	tasklist.exe
4608	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3020	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
1712	axplong.exe
4644	axplong.exe
1428	axplong.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 4408	2088	GOLD.exe	85
PID 3112 set thread context of 3964	3112	crypteda.exe	90
PID 1056 set thread context of 4740	1056	xxxx.exe	209

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3724	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000100000002ab29-459.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4904	3372	WerFault.exe	94
4688	2096	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L1Y5EIIw95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qumRVIuRRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SÐµtuÑ€111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beijing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4624	cmd.exe
1684	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5028	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	setup2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	clcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	clcs.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2796	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3320	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4108	ipconfig.exe
5028	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2424	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4728	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
1712	axplong.exe
1712	axplong.exe
4408	RegAsm.exe
2628	stealc_default2.exe
2628	stealc_default2.exe
668	qumRVIuRRA.exe
4408	RegAsm.exe
4408	RegAsm.exe
4408	RegAsm.exe
4408	RegAsm.exe
864	L1Y5EIIw95.exe
864	L1Y5EIIw95.exe
864	L1Y5EIIw95.exe
864	L1Y5EIIw95.exe
2628	stealc_default2.exe
2628	stealc_default2.exe
864	L1Y5EIIw95.exe
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif
4644	axplong.exe
4644	axplong.exe
1428	axplong.exe
1428	axplong.exe
1028	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	qumRVIuRRA.exe
Token: SeBackupPrivilege	668	qumRVIuRRA.exe
Token: SeSecurityPrivilege	668	qumRVIuRRA.exe
Token: SeSecurityPrivilege	668	qumRVIuRRA.exe
Token: SeSecurityPrivilege	668	qumRVIuRRA.exe
Token: SeSecurityPrivilege	668	qumRVIuRRA.exe
Token: SeDebugPrivilege	4408	RegAsm.exe
Token: SeDebugPrivilege	864	L1Y5EIIw95.exe
Token: SeDebugPrivilege	4948	tasklist.exe
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: 36	2760	WMIC.exe
Token: SeDebugPrivilege	3392	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1704	Beijing.pif
1704	Beijing.pif
1704	Beijing.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1712	228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe	83
PID 228 wrote to memory of 1712	228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe	83
PID 228 wrote to memory of 1712	228	f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe	83
PID 1712 wrote to memory of 2088	1712	axplong.exe	84
PID 1712 wrote to memory of 2088	1712	axplong.exe	84
PID 1712 wrote to memory of 2088	1712	axplong.exe	84
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 2088 wrote to memory of 4408	2088	GOLD.exe	85
PID 1712 wrote to memory of 3112	1712	axplong.exe	87
PID 1712 wrote to memory of 3112	1712	axplong.exe	87
PID 1712 wrote to memory of 3112	1712	axplong.exe	87
PID 3112 wrote to memory of 4484	3112	crypteda.exe	88
PID 3112 wrote to memory of 4484	3112	crypteda.exe	88
PID 3112 wrote to memory of 4484	3112	crypteda.exe	88
PID 3112 wrote to memory of 3656	3112	crypteda.exe	89
PID 3112 wrote to memory of 3656	3112	crypteda.exe	89
PID 3112 wrote to memory of 3656	3112	crypteda.exe	89
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3112 wrote to memory of 3964	3112	crypteda.exe	90
PID 3964 wrote to memory of 668	3964	RegAsm.exe	91
PID 3964 wrote to memory of 668	3964	RegAsm.exe	91
PID 3964 wrote to memory of 668	3964	RegAsm.exe	91
PID 3964 wrote to memory of 864	3964	RegAsm.exe	93
PID 3964 wrote to memory of 864	3964	RegAsm.exe	93
PID 3964 wrote to memory of 864	3964	RegAsm.exe	93
PID 1712 wrote to memory of 3372	1712	axplong.exe	94
PID 1712 wrote to memory of 3372	1712	axplong.exe	94
PID 1712 wrote to memory of 3372	1712	axplong.exe	94
PID 1712 wrote to memory of 2628	1712	axplong.exe	99
PID 1712 wrote to memory of 2628	1712	axplong.exe	99
PID 1712 wrote to memory of 2628	1712	axplong.exe	99
PID 1712 wrote to memory of 2096	1712	axplong.exe	100
PID 1712 wrote to memory of 2096	1712	axplong.exe	100
PID 1712 wrote to memory of 2096	1712	axplong.exe	100
PID 1712 wrote to memory of 2112	1712	axplong.exe	101
PID 1712 wrote to memory of 2112	1712	axplong.exe	101
PID 1712 wrote to memory of 2112	1712	axplong.exe	101
PID 2568 wrote to memory of 4948	2568	cmd.exe	104
PID 2568 wrote to memory of 4948	2568	cmd.exe	104
PID 2568 wrote to memory of 4948	2568	cmd.exe	104
PID 2568 wrote to memory of 968	2568	cmd.exe	105
PID 2568 wrote to memory of 968	2568	cmd.exe	105
PID 2568 wrote to memory of 968	2568	cmd.exe	105
PID 2568 wrote to memory of 2756	2568	cmd.exe	106
PID 2568 wrote to memory of 2756	2568	cmd.exe	106
PID 2568 wrote to memory of 2756	2568	cmd.exe	106
PID 2568 wrote to memory of 4016	2568	cmd.exe	107
PID 2568 wrote to memory of 4016	2568	cmd.exe	107
PID 2568 wrote to memory of 4016	2568	cmd.exe	107
PID 2568 wrote to memory of 1932	2568	cmd.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4188	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe
  "C:\Users\Admin\AppData\Local\Temp\f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Users\Admin\AppData\Roaming\qumRVIuRRA.exe
        
        "C:\Users\Admin\AppData\Roaming\qumRVIuRRA.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
      - C:\Users\Admin\AppData\Roaming\L1Y5EIIw95.exe
        
        "C:\Users\Admin\AppData\Roaming\L1Y5EIIw95.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\setup2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\setup2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:3372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 384
        5⤵
        Program crash
        
        PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 520
        5⤵
        Program crash
        
        PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:968
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 40365
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "HopeBuildersGeniusIslam" Sonic
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        Beijing.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1704
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:448
  - - C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe
      "C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe"
      4⤵
      Executes dropped EXE
      PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
      "C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe"
      4⤵
      Executes dropped EXE
      PID:932
    - - C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:1020
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:2456
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:4652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:4940
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:3068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1564
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:3904
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:3020
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:4592
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:3324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:3036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3620
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:2172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:3432
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2424
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:428
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:2796
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:2744
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:1036
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:1492
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:220
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:2436
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:1564
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:2156
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:3372
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:4820
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:3904
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:1340
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:1380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:4200
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:4608
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:4108
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:32
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:4172
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5028
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:3724
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3148
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4624
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:928
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3180
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe
      "C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\1000185001\xxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\1000185001\xxxx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3372 -ip 3372
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2096 -ip 2096
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
323KB

MD5
d6fca3cd57293390ccf9d2bc83662dda

SHA1
94496d01aa91e981846299eeac5631ab8b8c4a93

SHA256
74e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e

SHA512
3990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.1MB

MD5
8e74497aff3b9d2ddb7e7f819dfc69ba

SHA1
1d18154c206083ead2d30995ce2847cbeb6cdbc1

SHA256
d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

SHA512
9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\setup2.exe

Filesize
350KB

MD5
d78d85135f584e455f692923d9feb804

SHA1
7bf6d4d00326ecfa3e48644896d3407ab473a9d5

SHA256
41582c8b6bd111a2f141dee52b619d13278ef68754691263abeb3238d485f404

SHA512
1fb4e040511f3bbf8c04459942d1a5915b5f8fe78dd169b932e04dc7ccdb227aee42327a8071136b27a368f2fe8b8b5de3c9187d4b3cc5354cbba0a1d89d26bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\clcs.exe

Filesize
6.3MB

MD5
5f5eb3caf593e33ff2fd4b82db11084a

SHA1
0d0fa72c99e0759c79b0f06fdcd74d1fb823ced5

SHA256
29036a1125ac5f5b8a4bfb794fa965efd1f5e24853db3fa901b17d96ba901ca8

SHA512
8b88d41a1ba2a1543eff933fbefacf5c6669fff37165515149e70cb784fd09e4b091f347cbf4111bbe9a57a571a6dfa46a36ceb8a235ec13ea656c382502d468

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000162001\Indentif.exe

Filesize
10.1MB

MD5
4dff7e34dcd2f430bf816ec4b25a9dbc

SHA1
b1d9e400262d2e36e00fa5b29fa6874664c7d0c1

SHA256
6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a

SHA512
268ba5b7eaab858eb516241ee044b46e1efb211a6826e0df3880421ae95911f271f61e3777171f085b9b05ffccb40b621bfdc3c3ecdd6f23435ac1a963c5a7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\5PHCENYBS068Y01.exe

Filesize
10.5MB

MD5
7fffe8702479239234bce6013bcad409

SHA1
ee7aaecaeff869350ead69c907b77d5b0afd3f09

SHA256
7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95

SHA512
8d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000179001\SÐµtuÑ€111.exe

Filesize
6.4MB

MD5
9436c63eb99d4933ec7ffd0661639cbe

SHA1
12da487e8e0a42a1a40ed00ee8708e8c6eed1800

SHA256
3a79351bd8099a518ecb4258aacecc84f7ed44cf67426b482b7583ce20c17e4e

SHA512
59bc369bf7d96865be7e2f0b148e8216804c7f85d59958e7cc142770b44a84a266db8aec05b28bed483828f84abd81a21b3d40cdda230c1a534f6b380a387c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000185001\xxxx.exe

Filesize
122KB

MD5
31fa485283c090077fb15a0831fd89f7

SHA1
5be3539600b869f25da4295c7cc350a4ade483d6

SHA256
32268f4d7203997102b3e92c592dc498e407f0d8786a1107d633d9495fc9f2b0

SHA512
305d538bbe84191779ce6315bff8193ce0b202c5ed664127713c207549297485ee416aee984d39eae436d5482310581bb8db584ce6f84145fc6f32e7098b6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\s

Filesize
554KB

MD5
30ab54ae1c615436d881fc336c264fef

SHA1
7e2a049923d49ae5859d2a0aa3a7dd092e672bd1

SHA256
ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db

SHA512
1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
49bd66a142af2a05acc3afd0763c6b6c

SHA1
9302395bc7a54c54211b9ed383fcb0f4a157677f

SHA256
f4d8f4d2b4ce1cd1c075942dd55d2957d1e481907c597cedc7ad441316cd82f5

SHA512
9ae73e2abd24a1b46a5191b6325c66cde3ae331158874b6d5ca9d99ef5e736bef178d678f695489c34ac0f950af55fa7d456fbcb28f170a48939b385ab8821d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.6MB

MD5
b98d491ead30f30e61bc3e865ab72f18

SHA1
db165369b7f2ae513b51c4f3def9ea2668268221

SHA256
35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98

SHA512
044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDF34.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
0314b66f9eb938be8129e7b72a6dfe4d

SHA1
f524526636d7e3df1c2d6fc4d3a530ec2b40f5a6

SHA256
96f64dc6baf4363b64cf944be7e45a0400e535951510200007a4bdd68d1788d8

SHA512
ce7622f34a755687816868f1d26c069cefc69b2a630f333d3c49203e4aa285a312e693c4875f8ce709778ffb2e7f9376269f795063f665f18efaf7550e956194

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxx5hvy2.kdj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_932_133689867719042262\stub.exe

Filesize
15.9MB

MD5
1f4bbcf45463611b2321a428424e71ff

SHA1
102b8883177489e69964822db3adc4bb3ddba2b5

SHA256
1f0ad6f7003fbd3e3e8ebeb0e179ffd8b9ce43f0914b1041136c6603eaa6ebb2

SHA512
3613d74999fd7eedbe73ddb63f65529475a432b9203fd86b0f88b45ebff0d2e9192b27ce1c24f4e42eaee0c331bfea34a90764482990b5f2424c0f980c50a44a

Download Submit
C:\Users\Admin\AppData\Roaming\L1Y5EIIw95.exe

Filesize
304KB

MD5
30f46f4476cdc27691c7fdad1c255037

SHA1
b53415af5d01f8500881c06867a49a5825172e36

SHA256
3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

SHA512
271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-242286936-336880687-2152680090-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c9038f8c-1e1b-4144-a72a-756d47bbff27

Filesize
2KB

MD5
a9876917485a58b2974e174b8225e2e5

SHA1
15f8c4ddaff0dd4e4a780d24924ee69e985d38ea

SHA256
208c826985a8cc11ffd81cec2c79289537417d34a6d49b3d0103087faf1ab54c

SHA512
fdc69f39cb4abca15a205c9b370880fe7e095faa9619b624fed4e348d41b34b4e7b80151cf539fb5a5b4da794e39d779aebc2adf52d330143e1beeddd5560d09

Download Submit
C:\Users\Admin\AppData\Roaming\qumRVIuRRA.exe

Filesize
544KB

MD5
88367533c12315805c059e688e7cdfe9

SHA1
64a107adcbac381c10bd9c5271c2087b7aa369ec

SHA256
c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

SHA512
7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
a70236f5981e9c125f6bd37be4db3531

SHA1
db87df3c0197a2aa2572810c71667440f96ae499

SHA256
1a1199a8c11c5e6f151ecb3b1582d02781679104f6a6ee24864bb1c99079288c

SHA512
2fed4a5bd8ca0411265a797b3b6a05f2ea7d640f30bc67e32b77925b8394b8fb966ae824cb381a0e94fced4a132369b29ec5621b7fd4593755d580dbcc4a11e5

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
aa36b9219256e4e064d57fa978ef6706

SHA1
31251aeecebc5db81e93ebaccf44dacb56286881

SHA256
9142bd5c6e74c5e668325b443df2e3709309fb81a317ebc8743b76a7c7abcdf8

SHA512
c5d09d03c7d551ae9cb878b6b4851b7e6c126eaf66698409384b46adaf3fbd74cae12e37c8cc9c5ae8d0e8f55d7bcd019b791dd7bcd5293de2a35af2cbd6691f

Download Submit
memory/228-0-0x0000000000EC0000-0x0000000001376000-memory.dmp

Filesize
4.7MB

Download
memory/228-1-0x00000000770F6000-0x00000000770F8000-memory.dmp

Filesize
8KB

Download
memory/228-2-0x0000000000EC1000-0x0000000000EEF000-memory.dmp

Filesize
184KB

Download
memory/228-3-0x0000000000EC0000-0x0000000001376000-memory.dmp

Filesize
4.7MB

Download
memory/228-5-0x0000000000EC0000-0x0000000001376000-memory.dmp

Filesize
4.7MB

Download
memory/228-18-0x0000000000EC0000-0x0000000001376000-memory.dmp

Filesize
4.7MB

Download
memory/668-186-0x000000000A360000-0x000000000A522000-memory.dmp

Filesize
1.8MB

Download
memory/668-123-0x0000000000F10000-0x0000000000F9E000-memory.dmp

Filesize
568KB

Download
memory/668-187-0x000000000AA60000-0x000000000AF8C000-memory.dmp

Filesize
5.2MB

Download
memory/864-122-0x0000000000FD0000-0x0000000001022000-memory.dmp

Filesize
328KB

Download
memory/1028-530-0x0000026FCF870000-0x0000026FCF892000-memory.dmp

Filesize
136KB

Download
memory/1056-593-0x00000000003F0000-0x0000000000414000-memory.dmp

Filesize
144KB

Download
memory/1428-388-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1704-316-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-315-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-317-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-318-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-322-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-319-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1704-320-0x00000000009A0000-0x0000000000A0F000-memory.dmp

Filesize
444KB

Download
memory/1712-159-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-326-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-374-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-16-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-310-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-19-0x0000000000521000-0x000000000054F000-memory.dmp

Filesize
184KB

Download
memory/1712-312-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-257-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-20-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-181-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-21-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-180-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-164-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-22-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-296-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-72-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-323-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-324-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/1712-325-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/2088-42-0x0000000000830000-0x0000000000884000-memory.dmp

Filesize
336KB

Download
memory/2088-41-0x0000000072ABE000-0x0000000072ABF000-memory.dmp

Filesize
4KB

Download
memory/2096-311-0x0000000000400000-0x000000000106A000-memory.dmp

Filesize
12.4MB

Download
memory/2096-309-0x0000000000400000-0x000000000106A000-memory.dmp

Filesize
12.4MB

Download
memory/2628-182-0x00000000004F0000-0x0000000000733000-memory.dmp

Filesize
2.3MB

Download
memory/2628-188-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2628-258-0x00000000004F0000-0x0000000000733000-memory.dmp

Filesize
2.3MB

Download
memory/3112-91-0x0000000000E50000-0x0000000000F62000-memory.dmp

Filesize
1.1MB

Download
memory/3372-160-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3480-352-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-357-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-367-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-351-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-375-0x0000000000400000-0x0000000000E2D000-memory.dmp

Filesize
10.2MB

Download
memory/3480-376-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-353-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-354-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-355-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-356-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-358-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3480-345-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3964-98-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-95-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-93-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-97-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-118-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4408-69-0x0000000007060000-0x0000000007072000-memory.dmp

Filesize
72KB

Download
memory/4408-68-0x00000000088F0000-0x00000000089FA000-memory.dmp

Filesize
1.0MB

Download
memory/4408-161-0x0000000006B80000-0x0000000006BE6000-memory.dmp

Filesize
408KB

Download
memory/4408-173-0x000000000A1A0000-0x000000000A1F0000-memory.dmp

Filesize
320KB

Download
memory/4408-71-0x0000000008A00000-0x0000000008A4C000-memory.dmp

Filesize
304KB

Download
memory/4408-70-0x00000000070C0000-0x00000000070FC000-memory.dmp

Filesize
240KB

Download
memory/4408-44-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4408-46-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/4408-67-0x0000000007130000-0x0000000007748000-memory.dmp

Filesize
6.1MB

Download
memory/4408-64-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4408-63-0x00000000060E0000-0x0000000006156000-memory.dmp

Filesize
472KB

Download
memory/4408-48-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/4408-47-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4644-321-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/4644-314-0x0000000000520000-0x00000000009D6000-memory.dmp

Filesize
4.7MB

Download
memory/4740-597-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download