amadey | 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12

Resubmissions

30-08-2024 04:09

240830-eq2rpawbjb 10

30-08-2024 03:04

240830-dkk2batere 10

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
Size

1.8MB
MD5

bf7e6a36b168f8b9aac4e47fe6caae27
SHA1

45fa975387ab5a3799396da7ab405e7358dabdfe
SHA256

2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
SHA512

84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96
SSDEEP

49152:G6RMxCRoqllW8C/HA+xJMht6+3d7vzh+Td:y0W8CY+WBdv4Td

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

65.21.18.51:45580

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

amadey

Version

4.41

Botnet

a51500

http://api.garageserviceoperation.com

Attributes

install_dir
0cf505a27f
install_file
ednfovi.exe
strings_key
0044a8b8e295529eaf3743c9bc3171d2
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

lumma

https://abledzovmposia.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Monster Stealer. 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000234ff-519.dat	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2096-46-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x000700000002349d-117.dat	family_redline
behavioral1/memory/5048-126-0x00000000009C0000-0x0000000000A12000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1656 created 3332	1656	Beijing.pif	56
PID 1656 created 3332	1656	Beijing.pif	56

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2100	netsh.exe
3804	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	runtime.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3412	cmd.exe
4724	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url	cmd.exe

Executes dropped EXE 19 IoCs

pid	Process
2864	axplong.exe
2752	crypted.exe
4076	crypteda.exe
1824	Avb8FRbpVj.exe
5048	IiFsNhvvfT.exe
3132	Nework.exe
2740	Hkbsse.exe
2260	stealc_default2.exe
3596	runtime.exe
1656	Beijing.pif
4784	BitcoinCore.exe
4192	openvpn12.exe
2040	axplong.exe
4860	Hkbsse.exe
4632	WASSetup.exe
3308	build.exe
1508	stub.exe
4364	Hkbsse.exe
1532	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe

Loads dropped DLL 35 IoCs

pid	Process
2260	stealc_default2.exe
2260	stealc_default2.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe
1508	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
101	raw.githubusercontent.com
102	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
99	ip-api.com
71	api.myip.com
72	api.myip.com
73	ipinfo.io
75	ipinfo.io

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2720	ARP.EXE
3396	cmd.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4772	tasklist.exe
1040	tasklist.exe
1804	tasklist.exe
4644	tasklist.exe
1936	tasklist.exe
4968	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4500	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
2864	axplong.exe
2040	axplong.exe
1532	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 2096	2752	crypted.exe	92
PID 4076 set thread context of 3920	4076	crypteda.exe	97
PID 4192 set thread context of 2232	4192	openvpn12.exe	129
PID 4632 set thread context of 4556	4632	WASSetup.exe	134

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EquationExplorer	runtime.exe
File opened for modification	C:\Windows\SysOrleans	runtime.exe
File opened for modification	C:\Windows\HostelGalleries	runtime.exe
File opened for modification	C:\Windows\ConfiguringUps	runtime.exe
File opened for modification	C:\Windows\ExplorerProprietary	runtime.exe
File created	C:\Windows\Tasks\axplong.job	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\ChestAntique	runtime.exe
File opened for modification	C:\Windows\TreeProfessor	runtime.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
436	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IiFsNhvvfT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WASSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openvpn12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runtime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avb8FRbpVj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beijing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1344	netsh.exe
4084	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3928	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
540	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3560	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4928	ipconfig.exe
3928	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2432	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3512	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
2864	axplong.exe
2864	axplong.exe
2260	stealc_default2.exe
2260	stealc_default2.exe
1824	Avb8FRbpVj.exe
1824	Avb8FRbpVj.exe
5048	IiFsNhvvfT.exe
5048	IiFsNhvvfT.exe
2096	RegAsm.exe
2096	RegAsm.exe
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
5048	IiFsNhvvfT.exe
5048	IiFsNhvvfT.exe
1656	Beijing.pif
1656	Beijing.pif
5048	IiFsNhvvfT.exe
5048	IiFsNhvvfT.exe
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif
2096	RegAsm.exe
2096	RegAsm.exe
2096	RegAsm.exe
2096	RegAsm.exe
2260	stealc_default2.exe
2260	stealc_default2.exe
2040	axplong.exe
2040	axplong.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
1532	axplong.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	Avb8FRbpVj.exe
Token: SeBackupPrivilege	1824	Avb8FRbpVj.exe
Token: SeSecurityPrivilege	1824	Avb8FRbpVj.exe
Token: SeSecurityPrivilege	1824	Avb8FRbpVj.exe
Token: SeSecurityPrivilege	1824	Avb8FRbpVj.exe
Token: SeSecurityPrivilege	1824	Avb8FRbpVj.exe
Token: SeDebugPrivilege	4644	tasklist.exe
Token: SeDebugPrivilege	5048	IiFsNhvvfT.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	2096	RegAsm.exe
Token: SeDebugPrivilege	4632	WASSetup.exe
Token: SeIncreaseQuotaPrivilege	5064	WMIC.exe
Token: SeSecurityPrivilege	5064	WMIC.exe
Token: SeTakeOwnershipPrivilege	5064	WMIC.exe
Token: SeLoadDriverPrivilege	5064	WMIC.exe
Token: SeSystemProfilePrivilege	5064	WMIC.exe
Token: SeSystemtimePrivilege	5064	WMIC.exe
Token: SeProfSingleProcessPrivilege	5064	WMIC.exe
Token: SeIncBasePriorityPrivilege	5064	WMIC.exe
Token: SeCreatePagefilePrivilege	5064	WMIC.exe
Token: SeBackupPrivilege	5064	WMIC.exe
Token: SeRestorePrivilege	5064	WMIC.exe
Token: SeShutdownPrivilege	5064	WMIC.exe
Token: SeDebugPrivilege	5064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5064	WMIC.exe
Token: SeRemoteShutdownPrivilege	5064	WMIC.exe
Token: SeUndockPrivilege	5064	WMIC.exe
Token: SeManageVolumePrivilege	5064	WMIC.exe
Token: 33	5064	WMIC.exe
Token: 34	5064	WMIC.exe
Token: 35	5064	WMIC.exe
Token: 36	5064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3560	WMIC.exe
Token: SeSecurityPrivilege	3560	WMIC.exe
Token: SeTakeOwnershipPrivilege	3560	WMIC.exe
Token: SeLoadDriverPrivilege	3560	WMIC.exe
Token: SeSystemProfilePrivilege	3560	WMIC.exe
Token: SeSystemtimePrivilege	3560	WMIC.exe
Token: SeProfSingleProcessPrivilege	3560	WMIC.exe
Token: SeIncBasePriorityPrivilege	3560	WMIC.exe
Token: SeCreatePagefilePrivilege	3560	WMIC.exe
Token: SeBackupPrivilege	3560	WMIC.exe
Token: SeRestorePrivilege	3560	WMIC.exe
Token: SeShutdownPrivilege	3560	WMIC.exe
Token: SeDebugPrivilege	3560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3560	WMIC.exe
Token: SeRemoteShutdownPrivilege	3560	WMIC.exe
Token: SeUndockPrivilege	3560	WMIC.exe
Token: SeManageVolumePrivilege	3560	WMIC.exe
Token: 33	3560	WMIC.exe
Token: 34	3560	WMIC.exe
Token: 35	3560	WMIC.exe
Token: 36	3560	WMIC.exe
Token: SeDebugPrivilege	4968	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5064	WMIC.exe
Token: SeSecurityPrivilege	5064	WMIC.exe
Token: SeTakeOwnershipPrivilege	5064	WMIC.exe
Token: SeLoadDriverPrivilege	5064	WMIC.exe
Token: SeSystemProfilePrivilege	5064	WMIC.exe
Token: SeSystemtimePrivilege	5064	WMIC.exe
Token: SeProfSingleProcessPrivilege	5064	WMIC.exe
Token: SeIncBasePriorityPrivilege	5064	WMIC.exe
Token: SeCreatePagefilePrivilege	5064	WMIC.exe
Token: SeBackupPrivilege	5064	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1656	Beijing.pif
1656	Beijing.pif
1656	Beijing.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2864	1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe	87
PID 1608 wrote to memory of 2864	1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe	87
PID 1608 wrote to memory of 2864	1608	2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe	87
PID 2864 wrote to memory of 2752	2864	axplong.exe	88
PID 2864 wrote to memory of 2752	2864	axplong.exe	88
PID 2864 wrote to memory of 2752	2864	axplong.exe	88
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2752 wrote to memory of 2096	2752	crypted.exe	92
PID 2864 wrote to memory of 4076	2864	axplong.exe	96
PID 2864 wrote to memory of 4076	2864	axplong.exe	96
PID 2864 wrote to memory of 4076	2864	axplong.exe	96
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 4076 wrote to memory of 3920	4076	crypteda.exe	97
PID 3920 wrote to memory of 1824	3920	RegAsm.exe	98
PID 3920 wrote to memory of 1824	3920	RegAsm.exe	98
PID 3920 wrote to memory of 1824	3920	RegAsm.exe	98
PID 3920 wrote to memory of 5048	3920	RegAsm.exe	100
PID 3920 wrote to memory of 5048	3920	RegAsm.exe	100
PID 3920 wrote to memory of 5048	3920	RegAsm.exe	100
PID 2864 wrote to memory of 3132	2864	axplong.exe	101
PID 2864 wrote to memory of 3132	2864	axplong.exe	101
PID 2864 wrote to memory of 3132	2864	axplong.exe	101
PID 3132 wrote to memory of 2740	3132	Nework.exe	102
PID 3132 wrote to memory of 2740	3132	Nework.exe	102
PID 3132 wrote to memory of 2740	3132	Nework.exe	102
PID 2864 wrote to memory of 2260	2864	axplong.exe	104
PID 2864 wrote to memory of 2260	2864	axplong.exe	104
PID 2864 wrote to memory of 2260	2864	axplong.exe	104
PID 2864 wrote to memory of 3596	2864	axplong.exe	105
PID 2864 wrote to memory of 3596	2864	axplong.exe	105
PID 2864 wrote to memory of 3596	2864	axplong.exe	105
PID 3596 wrote to memory of 3420	3596	runtime.exe	106
PID 3596 wrote to memory of 3420	3596	runtime.exe	106
PID 3596 wrote to memory of 3420	3596	runtime.exe	106
PID 3420 wrote to memory of 4644	3420	cmd.exe	110
PID 3420 wrote to memory of 4644	3420	cmd.exe	110
PID 3420 wrote to memory of 4644	3420	cmd.exe	110
PID 3420 wrote to memory of 720	3420	cmd.exe	111
PID 3420 wrote to memory of 720	3420	cmd.exe	111
PID 3420 wrote to memory of 720	3420	cmd.exe	111
PID 3420 wrote to memory of 1936	3420	cmd.exe	112
PID 3420 wrote to memory of 1936	3420	cmd.exe	112
PID 3420 wrote to memory of 1936	3420	cmd.exe	112
PID 3420 wrote to memory of 3248	3420	cmd.exe	113
PID 3420 wrote to memory of 3248	3420	cmd.exe	113
PID 3420 wrote to memory of 3248	3420	cmd.exe	113
PID 3420 wrote to memory of 5088	3420	cmd.exe	114
PID 3420 wrote to memory of 5088	3420	cmd.exe	114
PID 3420 wrote to memory of 5088	3420	cmd.exe	114
PID 3420 wrote to memory of 5108	3420	cmd.exe	115

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2596	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
  "C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4076
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
        
        "C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
        
        "C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:720
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 40365
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "HopeBuildersGeniusIslam" Sonic
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
        
        Beijing.pif s
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1656
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
      "C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
      4⤵
      Executes dropped EXE
      PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
      "C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4192
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4632
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
      "C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"
      4⤵
      Executes dropped EXE
      PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:2080
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:3028
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:4440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:532
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:3248
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:1060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4500
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:4004
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:3252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:4300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:4116
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:5080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:3396
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2432
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:4772
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:540
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:720
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:4668
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:3948
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5088
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:4916
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:2816
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:4320
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:4920
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:1484
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:4400
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:752
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:4940
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:648
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:1804
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:4928
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:4796
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:2720
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3928
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2100
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4084
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3116
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3940
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3108

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

Filesize
314KB

MD5
6134586375c01f97f8777bae1bf5ed98

SHA1
4787fa996b75dbc54632cc321725ee62666868a1

SHA256
414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d

SHA512
652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.1MB

MD5
8e74497aff3b9d2ddb7e7f819dfc69ba

SHA1
1d18154c206083ead2d30995ce2847cbeb6cdbc1

SHA256
d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66

SHA512
9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe

Filesize
15B

MD5
d5ed74dc7d1bea716c32ed5efaa8f625

SHA1
69b28bac3fdb3dd6cf7748af00fc433391e8aeb9

SHA256
5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7

SHA512
05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

Filesize
1.1MB

MD5
7adfc6a2e7a5daa59d291b6e434a59f3

SHA1
e21ef8be7b78912bed36121404270e5597a3fe25

SHA256
fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693

SHA512
30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

Filesize
10.0MB

MD5
304a5a222857d412cdd4effbb1ec170e

SHA1
34924c42524ca8e7fcc1fc604626d9c5f277dba2

SHA256
d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6

SHA512
208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

Filesize
5.6MB

MD5
7f7c9fc57f37c0c3149a94c813475a9d

SHA1
58c9ab2bd639c297cf0299d1de361ae1c930b498

SHA256
fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37

SHA512
6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

Filesize
15.4MB

MD5
cfaf9b5fcc1f02a3bc79914a77a3b58d

SHA1
d492e02c731f9f2192bd64308b522eb93ae11000

SHA256
087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202

SHA512
56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

Filesize
10.5MB

MD5
e6d4b7b529cc401a1c528e8833352039

SHA1
7b2837a2c9eea49e328a425db174a3b5c77d6bb5

SHA256
8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c

SHA512
35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\40365\s

Filesize
554KB

MD5
30ab54ae1c615436d881fc336c264fef

SHA1
7e2a049923d49ae5859d2a0aa3a7dd092e672bd1

SHA256
ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db

SHA512
1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
bf7e6a36b168f8b9aac4e47fe6caae27

SHA1
45fa975387ab5a3799396da7ab405e7358dabdfe

SHA256
2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12

SHA512
84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continue

Filesize
31KB

MD5
6184a8fc79d602bc18c0badb08598580

SHA1
de3a273e7020d43729044e41272c301118cc3641

SHA256
a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7

SHA512
41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continues

Filesize
14KB

MD5
2226738a67da04cef580c99f70b9a514

SHA1
48bbfbfdce94231ebc1833b87ff6e79aa716e3b4

SHA256
e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1

SHA512
c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Corresponding

Filesize
871KB

MD5
7eb7312237cf8653a876136046ce8b3e

SHA1
250d61e72b9a6d0d436e04b569459bb69bb2ab9e

SHA256
fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725

SHA512
778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dietary

Filesize
89KB

MD5
30a3ed3849e36b4c26a02cf030ea985a

SHA1
d3d29d3ba2c033d0abb6105cd274001e65d07f4e

SHA256
6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca

SHA512
158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minister

Filesize
98KB

MD5
97dd60ac57e3f1873f3120688d47cd3d

SHA1
e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736

SHA256
526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452

SHA512
831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mobile

Filesize
76KB

MD5
b81b3a6c6725be1cdd528e5fb3a9aa07

SHA1
069d5fd30b48bf5345d21c2af0106325e9372c8f

SHA256
08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84

SHA512
7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mr

Filesize
86KB

MD5
0c3f23378f256b116fca366d08dbd146

SHA1
c6c92667dea09b7a4b2b00193ee043278854db1e

SHA256
5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65

SHA512
0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sonic

Filesize
982B

MD5
1b5bba21607d9a9c3293ff564ecf4f1a

SHA1
de790d57fbfae12e649bf65fd9695e36a266696a

SHA256
fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e

SHA512
b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speak

Filesize
55KB

MD5
0e16cafd2403c552149e325d90637d12

SHA1
efe1e6af41751ca9978c3a21c82ef135a8846f21

SHA256
93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0

SHA512
0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Template

Filesize
56KB

MD5
0e70f873cb8f5615dd364325b714895a

SHA1
089a8f5d7d90e7eedd6d02e30aa458440c89d7a7

SHA256
4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94

SHA512
867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp922E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zinc

Filesize
63KB

MD5
51143491656ae2ee983d709c45a41861

SHA1
1cf8eb8d13246195cfc6168524d212c9a65b4681

SHA256
dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81

SHA512
239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in21gbuf.2io.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe

Filesize
15.9MB

MD5
d66b6390d1b5b309676b59d5017869a9

SHA1
b1821d78403faa151cd771a9df7e140b0ee686b8

SHA256
e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f

SHA512
55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe

Filesize
544KB

MD5
88367533c12315805c059e688e7cdfe9

SHA1
64a107adcbac381c10bd9c5271c2087b7aa369ec

SHA256
c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9

SHA512
7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

Download Submit
C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe

Filesize
304KB

MD5
30f46f4476cdc27691c7fdad1c255037

SHA1
b53415af5d01f8500881c06867a49a5825172e36

SHA256
3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0

SHA512
271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c186ecc3-67e4-4d2b-8682-b6c322da87aa

Filesize
2KB

MD5
c723193da2e7a4665b199a8a680220ea

SHA1
b4351fc2e9b1fc9d212aa97db2d92ca9b12e7f60

SHA256
8a9aa5d97adcbc2ad4ef19826011012d8bafa275f5043b1a55b4e62602a40d40

SHA512
919926349b81a87a40a9681eaf1b4877d2567be727d6de52e1b12917630352876623b3abb3af7b74d7827e8bbdb564ee72957e686d27a40ff3ff4ef789641516

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
4107e62fd0aab27e26bb5935018cc2e6

SHA1
e6bd7391484ff88297953f313789485eb4f5ac28

SHA256
e414e76bf70e2261c8da9ba3736fcd978aee74c0eee8667931d7aed356a5ef1b

SHA512
56317293399a4fcd94752ec52061f2239a682d3a939b2a94f89cc8ccaf66575bd13e66295ac4326008fd9f35d0a3d77667425cfef21ec5eb7a8cbefd62927fe7

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
8864202c5fd6edef7dff9e7177d2d18b

SHA1
cdd76aaf0a9d2ea8bcdeaf336032add0ec405313

SHA256
3fb12096937620ecb84b306caabccdb902c67923299c433ee184cc75d4ea71c5

SHA512
fabc71dd02544a32d66fd08e75479805b42ebc1c33f7e64935e59aa7b8bf3e0085ff94e6171c5df88a80df49673dd494be6af3148f0972a2df5afcdd4de90de8

Download Submit
memory/1532-622-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/1608-3-0x0000000000F90000-0x000000000143A000-memory.dmp

Filesize
4.7MB

Download
memory/1608-4-0x0000000000F90000-0x000000000143A000-memory.dmp

Filesize
4.7MB

Download
memory/1608-17-0x0000000000F90000-0x000000000143A000-memory.dmp

Filesize
4.7MB

Download
memory/1608-2-0x0000000000F91000-0x0000000000FBF000-memory.dmp

Filesize
184KB

Download
memory/1608-0-0x0000000000F90000-0x000000000143A000-memory.dmp

Filesize
4.7MB

Download
memory/1608-1-0x0000000077A34000-0x0000000077A36000-memory.dmp

Filesize
8KB

Download
memory/1656-340-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-363-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-343-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-344-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-342-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-341-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1656-339-0x00000000045B0000-0x000000000461F000-memory.dmp

Filesize
444KB

Download
memory/1824-254-0x000000000AAA0000-0x000000000AFCC000-memory.dmp

Filesize
5.2MB

Download
memory/1824-253-0x000000000A3A0000-0x000000000A562000-memory.dmp

Filesize
1.8MB

Download
memory/1824-232-0x0000000008A90000-0x0000000008AF6000-memory.dmp

Filesize
408KB

Download
memory/1824-127-0x0000000000FF0000-0x000000000107E000-memory.dmp

Filesize
568KB

Download
memory/2040-437-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2040-435-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2096-74-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/2096-76-0x0000000006E40000-0x0000000006E8C000-memory.dmp

Filesize
304KB

Download
memory/2096-73-0x0000000008C30000-0x0000000008D3A000-memory.dmp

Filesize
1.0MB

Download
memory/2096-68-0x0000000006370000-0x00000000063E6000-memory.dmp

Filesize
472KB

Download
memory/2096-75-0x0000000006DD0000-0x0000000006E0C000-memory.dmp

Filesize
240KB

Download
memory/2096-51-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/2096-46-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2096-49-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/2096-50-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2096-69-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/2096-72-0x00000000073B0000-0x00000000079C8000-memory.dmp

Filesize
6.1MB

Download
memory/2232-420-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2232-418-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2232-422-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2260-334-0x00000000008F0000-0x0000000000B33000-memory.dmp

Filesize
2.3MB

Download
memory/2260-190-0x00000000008F0000-0x0000000000B33000-memory.dmp

Filesize
2.3MB

Download
memory/2260-235-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2752-42-0x000000007353E000-0x000000007353F000-memory.dmp

Filesize
4KB

Download
memory/2752-43-0x0000000000B20000-0x0000000000B74000-memory.dmp

Filesize
336KB

Download
memory/2864-198-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-338-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-336-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-275-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-21-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-19-0x0000000000701000-0x000000000072F000-memory.dmp

Filesize
184KB

Download
memory/2864-388-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-20-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-18-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-234-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/2864-255-0x0000000000700000-0x0000000000BAA000-memory.dmp

Filesize
4.7MB

Download
memory/3920-97-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3920-122-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3920-99-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3920-102-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3920-101-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4076-95-0x00000000003D0000-0x00000000004E2000-memory.dmp

Filesize
1.1MB

Download
memory/4192-416-0x00000000051A0000-0x0000000005452000-memory.dmp

Filesize
2.7MB

Download
memory/4192-415-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/4192-414-0x0000000000140000-0x00000000006D8000-memory.dmp

Filesize
5.6MB

Download
memory/4192-417-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/4724-590-0x000001C1231A0000-0x000001C1231C2000-memory.dmp

Filesize
136KB

Download
memory/4784-389-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-364-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-374-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-377-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-375-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-376-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-423-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/4784-425-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-372-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-370-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-373-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4784-371-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/5048-126-0x00000000009C0000-0x0000000000A12000-memory.dmp

Filesize
328KB

Download
memory/5048-276-0x00000000078C0000-0x0000000007910000-memory.dmp

Filesize
320KB

Download