Analysis Overview
SHA256
ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2
Threat Level: Known bad
The file ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2 was found to be: Known bad.
Malicious Activity Summary
RedLine
Detects Monster Stealer.
RedLine payload
Amadey
Stealc
Exela Stealer
Monster
Suspicious use of NtCreateUserProcessOtherParentProcess
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Modifies Windows Firewall
Downloads MZ/PE file
Identifies Wine through registry keys
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks BIOS information in registry
Clipboard Data
Network Service Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Checks processor information in registry
Suspicious use of WriteProcessMemory
Gathers network information
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Collects information from the system
Suspicious use of SendNotifyMessage
Runs net.exe
Gathers system information
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-30 02:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 02:11
Reported
2024-08-30 02:13
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 1244 wrote to memory of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 1244 wrote to memory of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe
"C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/1244-0-0x0000000000120000-0x00000000005D5000-memory.dmp
memory/1244-1-0x0000000077B24000-0x0000000077B26000-memory.dmp
memory/1244-2-0x0000000000121000-0x000000000014F000-memory.dmp
memory/1244-3-0x0000000000120000-0x00000000005D5000-memory.dmp
memory/1244-4-0x0000000000120000-0x00000000005D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | f6911f034b6809f72c761b37b7a3c336 |
| SHA1 | 3c6155a81deb337c9c4d5211cfe9be3f94103b92 |
| SHA256 | ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2 |
| SHA512 | f54310829774dfc9dd4bd9f159eb1d29c95439371c70747bf9d4c4da2e5563367ec7632b39c61fb4b9fe0efb7e3d76dd621239b228ab9cdfce3c349f0ad7a3fa |
memory/3792-16-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/1244-18-0x0000000000120000-0x00000000005D5000-memory.dmp
memory/3792-20-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-19-0x0000000000F21000-0x0000000000F4F000-memory.dmp
memory/3792-21-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-22-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-23-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-24-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-25-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-26-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-27-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/4364-29-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/4364-30-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/4364-31-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/4364-33-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-34-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-35-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-36-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-37-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-38-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-39-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/2552-41-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-42-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-43-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-44-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-45-0x0000000000F20000-0x00000000013D5000-memory.dmp
memory/3792-46-0x0000000000F20000-0x00000000013D5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 02:11
Reported
2024-08-30 02:13
Platform
win11-20240802-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Amadey
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Exela Stealer
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5984 created 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 5984 created 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 324 set thread context of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3660 set thread context of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1232 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1192 set thread context of 4832 | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe
"C:\Users\Admin\AppData\Local\Temp\ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe
"C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe"
C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe
"C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\findstr.exe
findstr /V "HopeBuildersGeniusIslam" Sonic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | ddl.safone.dev | udp |
| IE | 63.32.161.232:80 | ddl.safone.dev | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.161.32.63.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| EE | 147.45.60.44:80 | stagingbyvdveen.com | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| IN | 69.57.172.44:443 | cgil.in | tcp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 104.21.61.115:443 | abledzovmposia.shop | tcp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| US | 172.67.177.240:443 | traineiwnqo.shop | tcp |
| N/A | 127.0.0.1:50351 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:50360 | tcp | |
| N/A | 127.0.0.1:50365 | tcp | |
| N/A | 127.0.0.1:50368 | tcp | |
| N/A | 127.0.0.1:50370 | tcp | |
| US | 172.67.193.102:443 | jirafasaltas.fun | tcp |
Files
memory/5348-0-0x00000000003B0000-0x0000000000865000-memory.dmp
memory/5348-1-0x00000000774D6000-0x00000000774D8000-memory.dmp
memory/5348-2-0x00000000003B1000-0x00000000003DF000-memory.dmp
memory/5348-3-0x00000000003B0000-0x0000000000865000-memory.dmp
memory/5348-4-0x00000000003B0000-0x0000000000865000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | f6911f034b6809f72c761b37b7a3c336 |
| SHA1 | 3c6155a81deb337c9c4d5211cfe9be3f94103b92 |
| SHA256 | ef0ef6c919120257f3d2e63ef94e163772f87b2310f10bf79212483a723d79a2 |
| SHA512 | f54310829774dfc9dd4bd9f159eb1d29c95439371c70747bf9d4c4da2e5563367ec7632b39c61fb4b9fe0efb7e3d76dd621239b228ab9cdfce3c349f0ad7a3fa |
memory/1360-18-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/5348-17-0x00000000003B0000-0x0000000000865000-memory.dmp
memory/1360-19-0x0000000000E11000-0x0000000000E3F000-memory.dmp
memory/1360-20-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/1360-21-0x0000000000E10000-0x00000000012C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
| MD5 | 6134586375c01f97f8777bae1bf5ed98 |
| SHA1 | 4787fa996b75dbc54632cc321725ee62666868a1 |
| SHA256 | 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d |
| SHA512 | 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b |
memory/324-42-0x0000000072D7E000-0x0000000072D7F000-memory.dmp
memory/324-43-0x0000000000930000-0x0000000000984000-memory.dmp
memory/3064-46-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3064-49-0x00000000057B0000-0x0000000005D56000-memory.dmp
memory/3064-50-0x0000000005200000-0x0000000005292000-memory.dmp
memory/3064-51-0x00000000052E0000-0x00000000052EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp8211.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3064-66-0x0000000005E60000-0x0000000005ED6000-memory.dmp
memory/3064-67-0x0000000006650000-0x000000000666E000-memory.dmp
memory/3064-70-0x0000000006FE0000-0x00000000075F8000-memory.dmp
memory/3064-71-0x00000000087A0000-0x00000000088AA000-memory.dmp
memory/3064-72-0x0000000006F10000-0x0000000006F22000-memory.dmp
memory/3064-73-0x0000000006F70000-0x0000000006FAC000-memory.dmp
memory/3064-74-0x00000000088B0000-0x00000000088FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/3660-93-0x0000000000850000-0x0000000000962000-memory.dmp
memory/2116-95-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2116-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2116-99-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2116-97-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\AhglqzZYic.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\PvZctqpppd.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/2116-120-0x0000000000400000-0x000000000050D000-memory.dmp
memory/5624-123-0x0000000000C90000-0x0000000000CE2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2842058299-443432012-2465494467-1000\76b53b3ec448f7ccdda2063b15d2bfc3_4e5e470e-e4f7-4106-b4e9-66a8af691963
| MD5 | dd16830599a24dc0a30cf6e9d055885c |
| SHA1 | 43d5048e346ed94c18ff607b7f521b6989435182 |
| SHA256 | 56f6cf510913f97340c84d2e07384b58abab2be9dc8f433781ee481851576376 |
| SHA512 | 5bd417059695dbc5a77d615fd5f6fa8fc01339812e31c37a13bc04f68da7bf6fca2a5ba7db0eaf70bca283f7d7cf667e40292035426b993d60bfb777497a1156 |
memory/1032-125-0x0000000000050000-0x00000000000DE000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 969308f61ca2fb45df5e4ae973c4dbd6 |
| SHA1 | 1bdb248435b6c13fa153166de2864e0a91564788 |
| SHA256 | 77a3698b5bd084974895da04d0eb3d9290b29124db9da08c9fadb3c7e3a29ef7 |
| SHA512 | f06d2cd59664c3230a6481a82e6f7ac3ca74b6247c298cdc2ccdcefbab69fcac0be1fa715b534054d955397543774b6891811091f80e49412b3415c4ce317f9c |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 97636238cf96a58a1d1140aeaf8c6ecd |
| SHA1 | b6eefb42001664033dbcc09ecc3cf929914f6478 |
| SHA256 | 3b7dee6b76caf777dc6b374777ee6eb27263f4fa5e62919cf3d7beb2a28e1fc5 |
| SHA512 | 7037e14e73f0ac2a4d201941b47cb95e513100fe4193cf02b61bbb1b761da60512e96c0c8c958d560dcb300d064d307189c71ac80f79d0254f0d38ba30a7fc98 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
memory/1360-161-0x0000000000E10000-0x00000000012C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/2912-187-0x00000000007B0000-0x00000000009F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe
| MD5 | d5ed74dc7d1bea716c32ed5efaa8f625 |
| SHA1 | 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9 |
| SHA256 | 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7 |
| SHA512 | 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d |
memory/1360-195-0x0000000000E10000-0x00000000012C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
memory/1032-229-0x0000000008480000-0x00000000084E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Continues
| MD5 | 2226738a67da04cef580c99f70b9a514 |
| SHA1 | 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4 |
| SHA256 | e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1 |
| SHA512 | c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08 |
memory/1032-231-0x00000000092D0000-0x0000000009492000-memory.dmp
memory/1032-232-0x00000000099D0000-0x0000000009EFC000-memory.dmp
memory/2912-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3064-268-0x0000000009250000-0x00000000092A0000-memory.dmp
memory/1360-269-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/1360-275-0x0000000000E10000-0x00000000012C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sonic
| MD5 | 1b5bba21607d9a9c3293ff564ecf4f1a |
| SHA1 | de790d57fbfae12e649bf65fd9695e36a266696a |
| SHA256 | fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e |
| SHA512 | b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a |
C:\Users\Admin\AppData\Local\Temp\Corresponding
| MD5 | 7eb7312237cf8653a876136046ce8b3e |
| SHA1 | 250d61e72b9a6d0d436e04b569459bb69bb2ab9e |
| SHA256 | fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725 |
| SHA512 | 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699 |
C:\Users\Admin\AppData\Local\Temp\Mr
| MD5 | 0c3f23378f256b116fca366d08dbd146 |
| SHA1 | c6c92667dea09b7a4b2b00193ee043278854db1e |
| SHA256 | 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65 |
| SHA512 | 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3 |
C:\Users\Admin\AppData\Local\Temp\Speak
| MD5 | 0e16cafd2403c552149e325d90637d12 |
| SHA1 | efe1e6af41751ca9978c3a21c82ef135a8846f21 |
| SHA256 | 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0 |
| SHA512 | 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 51143491656ae2ee983d709c45a41861 |
| SHA1 | 1cf8eb8d13246195cfc6168524d212c9a65b4681 |
| SHA256 | dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81 |
| SHA512 | 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d |
C:\Users\Admin\AppData\Local\Temp\Continue
| MD5 | 6184a8fc79d602bc18c0badb08598580 |
| SHA1 | de3a273e7020d43729044e41272c301118cc3641 |
| SHA256 | a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7 |
| SHA512 | 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb |
C:\Users\Admin\AppData\Local\Temp\Mobile
| MD5 | b81b3a6c6725be1cdd528e5fb3a9aa07 |
| SHA1 | 069d5fd30b48bf5345d21c2af0106325e9372c8f |
| SHA256 | 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84 |
| SHA512 | 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2 |
C:\Users\Admin\AppData\Local\Temp\Dietary
| MD5 | 30a3ed3849e36b4c26a02cf030ea985a |
| SHA1 | d3d29d3ba2c033d0abb6105cd274001e65d07f4e |
| SHA256 | 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca |
| SHA512 | 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d |
C:\Users\Admin\AppData\Local\Temp\Template
| MD5 | 0e70f873cb8f5615dd364325b714895a |
| SHA1 | 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7 |
| SHA256 | 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94 |
| SHA512 | 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4 |
C:\Users\Admin\AppData\Local\Temp\Minister
| MD5 | 97dd60ac57e3f1873f3120688d47cd3d |
| SHA1 | e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736 |
| SHA256 | 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452 |
| SHA512 | 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a |
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\40365\s
| MD5 | 30ab54ae1c615436d881fc336c264fef |
| SHA1 | 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1 |
| SHA256 | ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db |
| SHA512 | 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2912-330-0x00000000007B0000-0x00000000009F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
| MD5 | 304a5a222857d412cdd4effbb1ec170e |
| SHA1 | 34924c42524ca8e7fcc1fc604626d9c5f277dba2 |
| SHA256 | d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6 |
| SHA512 | 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f |
memory/3248-360-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-363-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-362-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-361-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-359-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-358-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-356-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-350-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3248-357-0x0000000140000000-0x0000000140278000-memory.dmp
memory/1360-377-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/3248-378-0x0000000140000000-0x0000000140278000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
| MD5 | 7f7c9fc57f37c0c3149a94c813475a9d |
| SHA1 | 58c9ab2bd639c297cf0299d1de361ae1c930b498 |
| SHA256 | fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37 |
| SHA512 | 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9 |
memory/1232-403-0x0000000000F40000-0x00000000014D8000-memory.dmp
memory/1232-404-0x0000000005EC0000-0x0000000005F5C000-memory.dmp
memory/1232-405-0x0000000006120000-0x00000000063D2000-memory.dmp
memory/1232-406-0x0000000005DF0000-0x0000000005E12000-memory.dmp
memory/2044-409-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2044-411-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2044-407-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3248-412-0x0000000000400000-0x0000000000E13000-memory.dmp
memory/1360-413-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/3248-414-0x0000000140000000-0x0000000140278000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
| MD5 | cfaf9b5fcc1f02a3bc79914a77a3b58d |
| SHA1 | d492e02c731f9f2192bd64308b522eb93ae11000 |
| SHA256 | 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202 |
| SHA512 | 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3 |
memory/5984-440-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-441-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-442-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-443-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-444-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-445-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/5984-446-0x00000000044E0000-0x000000000454F000-memory.dmp
memory/4680-449-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/4680-453-0x0000000000E10000-0x00000000012C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
| MD5 | e6d4b7b529cc401a1c528e8833352039 |
| SHA1 | 7b2837a2c9eea49e328a425db174a3b5c77d6bb5 |
| SHA256 | 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c |
| SHA512 | 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3 |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\stub.exe
| MD5 | d66b6390d1b5b309676b59d5017869a9 |
| SHA1 | b1821d78403faa151cd771a9df7e140b0ee686b8 |
| SHA256 | e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f |
| SHA512 | 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6 |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_4040_133694575220731233\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | e54dec68d633001c42366d0ecde3f2e0 |
| SHA1 | 68ad889d9b6f02fa8d7c3df69d30eeff5745ef52 |
| SHA256 | 387015740938f6d013d089c66d2250c6f4e80f9d7d7a0887043df3dc3f812f02 |
| SHA512 | dd531dfbbb35f4d92858227bebb93f396690e8a902cd61fc80e7a981cd34a4fdd8490130a552069f48f6a06f21f7c3a63e6e205274bb50f85cb81a1b329901f2 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_243aezew.wqu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2376-577-0x0000022441F90000-0x0000022441FB2000-memory.dmp
memory/5976-618-0x0000000000E10000-0x00000000012C5000-memory.dmp
memory/5976-620-0x0000000000E10000-0x00000000012C5000-memory.dmp