Malware Analysis Report

2024-10-18 23:46

Sample ID 240830-cmcmaascnd
Target ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2
SHA256 ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2
Tags
amadey fed3aa discovery evasion trojan exelastealer monster redline stealc @cloudytteam a51500 default2 livetraffic collection credential_access defense_evasion infostealer persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2

Threat Level: Known bad

The file ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2 was found to be: Known bad.

Malicious Activity Summary

amadey fed3aa discovery evasion trojan exelastealer monster redline stealc @cloudytteam a51500 default2 livetraffic collection credential_access defense_evasion infostealer persistence privilege_escalation spyware stealer

RedLine

Detects Monster Stealer.

RedLine payload

Amadey

Stealc

Exela Stealer

Monster

Suspicious use of NtCreateUserProcessOtherParentProcess

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Modifies Windows Firewall

Downloads MZ/PE file

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks BIOS information in registry

Clipboard Data

Network Service Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Permission Groups Discovery: Local Groups

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Connections Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Checks processor information in registry

Suspicious use of WriteProcessMemory

Gathers network information

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Collects information from the system

Suspicious use of SendNotifyMessage

Runs net.exe

Gathers system information

Kills process with taskkill

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-08-30 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 02:11

Reported

2024-08-30 02:13

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe

"C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1244-0-0x0000000000120000-0x00000000005D5000-memory.dmp

memory/1244-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

memory/1244-2-0x0000000000121000-0x000000000014F000-memory.dmp

memory/1244-3-0x0000000000120000-0x00000000005D5000-memory.dmp

memory/1244-4-0x0000000000120000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 f6911f034b6809f72c761b37b7a3c336
SHA1 3c6155a81deb337c9c4d5211cfe9be3f94103b92
SHA256 ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2
SHA512 f54310829774dfc9dd4bd9f159eb1d29c95439371c70747bf9d4c4da2e5563367ec7632b39c61fb4b9fe0efb7e3d76dd621239b228ab9cdfce3c349f0ad7a3fa

memory/3792-16-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/1244-18-0x0000000000120000-0x00000000005D5000-memory.dmp

memory/3792-20-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-19-0x0000000000F21000-0x0000000000F4F000-memory.dmp

memory/3792-21-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-22-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-23-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-24-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-25-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-26-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-27-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/4364-29-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/4364-30-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/4364-31-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/4364-33-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-34-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-35-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-36-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-37-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-38-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-39-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/2552-41-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-42-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-43-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-44-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-45-0x0000000000F20000-0x00000000013D5000-memory.dmp

memory/3792-46-0x0000000000F20000-0x00000000013D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 02:11

Reported

2024-08-30 02:13

Platform

win11-20240802-en

Max time kernel

147s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detects Monster Stealer.

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Monster

stealer monster

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5984 created 3308 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE
PID 5984 created 3308 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\TreeProfessor C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\SysOrleans C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
File opened for modification C:\Windows\ChestAntique C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\EquationExplorer C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ExplorerProprietary C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File opened for modification C:\Windows\HostelGalleries C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ConfiguringUps C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5348 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 5348 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 5348 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1360 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 1360 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 1360 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 324 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 324 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1360 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 1360 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 1360 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3660 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3660 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2116 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe
PID 2116 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe
PID 2116 wrote to memory of 1032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe
PID 2116 wrote to memory of 5624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe
PID 2116 wrote to memory of 5624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe
PID 2116 wrote to memory of 5624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe
PID 1360 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1360 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1360 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1528 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1528 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1528 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1360 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 1360 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 1360 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 1360 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 1360 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 1360 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 1364 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2436 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe

"C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe

"C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe"

C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe

"C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 40365

C:\Windows\SysWOW64\findstr.exe

findstr /V "HopeBuildersGeniusIslam" Sonic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Beijing.pif s

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 ddl.safone.dev udp
IE 63.32.161.232:80 ddl.safone.dev tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.161.32.63.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
EE 147.45.60.44:80 stagingbyvdveen.com tcp
RU 185.215.113.17:80 185.215.113.17 tcp
FI 95.216.107.53:12311 tcp
IN 69.57.172.44:443 cgil.in tcp
NL 45.91.200.135:80 45.91.200.135 tcp
US 172.67.75.163:443 api.myip.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 104.21.61.115:443 abledzovmposia.shop tcp
US 172.67.207.182:443 locatedblsoqp.shop tcp
US 172.67.177.240:443 traineiwnqo.shop tcp
N/A 127.0.0.1:50351 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:50360 tcp
N/A 127.0.0.1:50365 tcp
N/A 127.0.0.1:50368 tcp
N/A 127.0.0.1:50370 tcp
US 172.67.193.102:443 jirafasaltas.fun tcp

Files

memory/5348-0-0x00000000003B0000-0x0000000000865000-memory.dmp

memory/5348-1-0x00000000774D6000-0x00000000774D8000-memory.dmp

memory/5348-2-0x00000000003B1000-0x00000000003DF000-memory.dmp

memory/5348-3-0x00000000003B0000-0x0000000000865000-memory.dmp

memory/5348-4-0x00000000003B0000-0x0000000000865000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 f6911f034b6809f72c761b37b7a3c336
SHA1 3c6155a81deb337c9c4d5211cfe9be3f94103b92
SHA256 ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2
SHA512 f54310829774dfc9dd4bd9f159eb1d29c95439371c70747bf9d4c4da2e5563367ec7632b39c61fb4b9fe0efb7e3d76dd621239b228ab9cdfce3c349f0ad7a3fa

memory/1360-18-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/5348-17-0x00000000003B0000-0x0000000000865000-memory.dmp

memory/1360-19-0x0000000000E11000-0x0000000000E3F000-memory.dmp

memory/1360-20-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/1360-21-0x0000000000E10000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

MD5 6134586375c01f97f8777bae1bf5ed98
SHA1 4787fa996b75dbc54632cc321725ee62666868a1
SHA256 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d
SHA512 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b

memory/324-42-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

memory/324-43-0x0000000000930000-0x0000000000984000-memory.dmp

memory/3064-46-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3064-49-0x00000000057B0000-0x0000000005D56000-memory.dmp

memory/3064-50-0x0000000005200000-0x0000000005292000-memory.dmp

memory/3064-51-0x00000000052E0000-0x00000000052EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp8211.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3064-66-0x0000000005E60000-0x0000000005ED6000-memory.dmp

memory/3064-67-0x0000000006650000-0x000000000666E000-memory.dmp

memory/3064-70-0x0000000006FE0000-0x00000000075F8000-memory.dmp

memory/3064-71-0x00000000087A0000-0x00000000088AA000-memory.dmp

memory/3064-72-0x0000000006F10000-0x0000000006F22000-memory.dmp

memory/3064-73-0x0000000006F70000-0x0000000006FAC000-memory.dmp

memory/3064-74-0x00000000088B0000-0x00000000088FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 8e74497aff3b9d2ddb7e7f819dfc69ba
SHA1 1d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256 d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA512 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

memory/3660-93-0x0000000000850000-0x0000000000962000-memory.dmp

memory/2116-95-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2116-100-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2116-99-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2116-97-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe

MD5 88367533c12315805c059e688e7cdfe9
SHA1 64a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256 c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA512 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe

MD5 30f46f4476cdc27691c7fdad1c255037
SHA1 b53415af5d01f8500881c06867a49a5825172e36
SHA256 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

memory/2116-120-0x0000000000400000-0x000000000050D000-memory.dmp

memory/5624-123-0x0000000000C90000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2842058299-443432012-2465494467-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4e5e470e-e4f7-4106-b4e9-66a8af691963

MD5 dd16830599a24dc0a30cf6e9d055885c
SHA1 43d5048e346ed94c18ff607b7f521b6989435182
SHA256 56f6cf510913f97340c84d2e07384b58abab2be9dc8f433781ee481851576376
SHA512 5bd417059695dbc5a77d615fd5f6fa8fc01339812e31c37a13bc04f68da7bf6fca2a5ba7db0eaf70bca283f7d7cf667e40292035426b993d60bfb777497a1156

memory/1032-125-0x0000000000050000-0x00000000000DE000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 969308f61ca2fb45df5e4ae973c4dbd6
SHA1 1bdb248435b6c13fa153166de2864e0a91564788
SHA256 77a3698b5bd084974895da04d0eb3d9290b29124db9da08c9fadb3c7e3a29ef7
SHA512 f06d2cd59664c3230a6481a82e6f7ac3ca74b6247c298cdc2ccdcefbab69fcac0be1fa715b534054d955397543774b6891811091f80e49412b3415c4ce317f9c

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 97636238cf96a58a1d1140aeaf8c6ecd
SHA1 b6eefb42001664033dbcc09ecc3cf929914f6478
SHA256 3b7dee6b76caf777dc6b374777ee6eb27263f4fa5e62919cf3d7beb2a28e1fc5
SHA512 7037e14e73f0ac2a4d201941b47cb95e513100fe4193cf02b61bbb1b761da60512e96c0c8c958d560dcb300d064d307189c71ac80f79d0254f0d38ba30a7fc98

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/1360-161-0x0000000000E10000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/2912-187-0x00000000007B0000-0x00000000009F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe

MD5 d5ed74dc7d1bea716c32ed5efaa8f625
SHA1 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9
SHA256 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7
SHA512 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d

memory/1360-195-0x0000000000E10000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

MD5 7adfc6a2e7a5daa59d291b6e434a59f3
SHA1 e21ef8be7b78912bed36121404270e5597a3fe25
SHA256 fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA512 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

memory/1032-229-0x0000000008480000-0x00000000084E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Continues

MD5 2226738a67da04cef580c99f70b9a514
SHA1 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256 e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512 c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08

memory/1032-231-0x00000000092D0000-0x0000000009492000-memory.dmp

memory/1032-232-0x00000000099D0000-0x0000000009EFC000-memory.dmp

memory/2912-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3064-268-0x0000000009250000-0x00000000092A0000-memory.dmp

memory/1360-269-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/1360-275-0x0000000000E10000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sonic

MD5 1b5bba21607d9a9c3293ff564ecf4f1a
SHA1 de790d57fbfae12e649bf65fd9695e36a266696a
SHA256 fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512 b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a

C:\Users\Admin\AppData\Local\Temp\Corresponding

MD5 7eb7312237cf8653a876136046ce8b3e
SHA1 250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256 fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699

C:\Users\Admin\AppData\Local\Temp\Mr

MD5 0c3f23378f256b116fca366d08dbd146
SHA1 c6c92667dea09b7a4b2b00193ee043278854db1e
SHA256 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA512 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3

C:\Users\Admin\AppData\Local\Temp\Speak

MD5 0e16cafd2403c552149e325d90637d12
SHA1 efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA256 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA512 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec

C:\Users\Admin\AppData\Local\Temp\Zinc

MD5 51143491656ae2ee983d709c45a41861
SHA1 1cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256 dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d

C:\Users\Admin\AppData\Local\Temp\Continue

MD5 6184a8fc79d602bc18c0badb08598580
SHA1 de3a273e7020d43729044e41272c301118cc3641
SHA256 a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA512 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb

C:\Users\Admin\AppData\Local\Temp\Mobile

MD5 b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1 069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA256 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA512 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2

C:\Users\Admin\AppData\Local\Temp\Dietary

MD5 30a3ed3849e36b4c26a02cf030ea985a
SHA1 d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA256 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d

C:\Users\Admin\AppData\Local\Temp\Template

MD5 0e70f873cb8f5615dd364325b714895a
SHA1 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA256 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4

C:\Users\Admin\AppData\Local\Temp\Minister

MD5 97dd60ac57e3f1873f3120688d47cd3d
SHA1 e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\40365\s

MD5 30ab54ae1c615436d881fc336c264fef
SHA1 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256 ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA512 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2912-330-0x00000000007B0000-0x00000000009F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

MD5 304a5a222857d412cdd4effbb1ec170e
SHA1 34924c42524ca8e7fcc1fc604626d9c5f277dba2
SHA256 d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6
SHA512 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

memory/3248-360-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-363-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-362-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-361-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-359-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-358-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-356-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-350-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3248-357-0x0000000140000000-0x0000000140278000-memory.dmp

memory/1360-377-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/3248-378-0x0000000140000000-0x0000000140278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

MD5 7f7c9fc57f37c0c3149a94c813475a9d
SHA1 58c9ab2bd639c297cf0299d1de361ae1c930b498
SHA256 fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37
SHA512 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9

memory/1232-403-0x0000000000F40000-0x00000000014D8000-memory.dmp

memory/1232-404-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

memory/1232-405-0x0000000006120000-0x00000000063D2000-memory.dmp

memory/1232-406-0x0000000005DF0000-0x0000000005E12000-memory.dmp

memory/2044-409-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/2044-411-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/2044-407-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/3248-412-0x0000000000400000-0x0000000000E13000-memory.dmp

memory/1360-413-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/3248-414-0x0000000140000000-0x0000000140278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

MD5 cfaf9b5fcc1f02a3bc79914a77a3b58d
SHA1 d492e02c731f9f2192bd64308b522eb93ae11000
SHA256 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202
SHA512 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3

memory/5984-440-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-441-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-442-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-443-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-444-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-445-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/5984-446-0x00000000044E0000-0x000000000454F000-memory.dmp

memory/4680-449-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/4680-453-0x0000000000E10000-0x00000000012C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

MD5 e6d4b7b529cc401a1c528e8833352039
SHA1 7b2837a2c9eea49e328a425db174a3b5c77d6bb5
SHA256 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c
SHA512 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe

MD5 d66b6390d1b5b309676b59d5017869a9
SHA1 b1821d78403faa151cd771a9df7e140b0ee686b8
SHA256 e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f
SHA512 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 e54dec68d633001c42366d0ecde3f2e0
SHA1 68ad889d9b6f02fa8d7c3df69d30eeff5745ef52
SHA256 387015740938f6d013d089c66d2250c6f4e80f9d7d7a0887043df3dc3f812f02
SHA512 dd531dfbbb35f4d92858227bebb93f396690e8a902cd61fc80e7a981cd34a4fdd8490130a552069f48f6a06f21f7c3a63e6e205274bb50f85cb81a1b329901f2

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_243aezew.wqu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2376-577-0x0000022441F90000-0x0000022441FB2000-memory.dmp

memory/5976-618-0x0000000000E10000-0x00000000012C5000-memory.dmp

memory/5976-620-0x0000000000E10000-0x00000000012C5000-memory.dmp