Malware Analysis Report

2024-10-18 23:46

Sample ID 240830-dkk2batere
Target 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
SHA256 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
Tags
amadey exelastealer lumma monster redline stealc @cloudytteam a51500 default2 fed3aa livetraffic collection credential_access defense_evasion discovery evasion infostealer persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12

Threat Level: Known bad

The file 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12 was found to be: Known bad.

Malicious Activity Summary

amadey exelastealer lumma monster redline stealc @cloudytteam a51500 default2 fed3aa livetraffic collection credential_access defense_evasion discovery evasion infostealer persistence privilege_escalation spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Stealc

Exela Stealer

Lumma Stealer, LummaC

RedLine

RedLine payload

Monster

Amadey

Detects Monster Stealer.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Grants admin privileges

Downloads MZ/PE file

Modifies Windows Firewall

Clipboard Data

Reads user/profile data of web browsers

Drops startup file

Reads data files stored by FTP clients

Checks BIOS information in registry

Unsecured Credentials: Credentials In Files

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Network Service Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Hide Artifacts: Hidden Files and Directories

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Permission Groups Discovery: Local Groups

Program crash

System Network Connections Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Embeds OpenSSL

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Kills process with taskkill

Runs net.exe

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Modifies system certificate store

Scheduled Task/Job: Scheduled Task

Gathers system information

Suspicious use of WriteProcessMemory

Collects information from the system

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-08-30 03:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 03:04

Reported

2024-08-30 03:06

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detects Monster Stealer.

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Lumma Stealer, LummaC

stealer lumma

Monster

stealer monster

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1656 created 3332 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE
PID 1656 created 3332 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\ARP.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\EquationExplorer C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\SysOrleans C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\HostelGalleries C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ConfiguringUps C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ExplorerProprietary C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File opened for modification C:\Windows\ChestAntique C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\TreeProfessor C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1608 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2864 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 2864 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 2864 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2864 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 2864 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 2864 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4076 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3920 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
PID 3920 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
PID 3920 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
PID 3920 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
PID 3920 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
PID 3920 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
PID 2864 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2864 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2864 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3132 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 3132 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 3132 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2864 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2864 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2864 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2864 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 2864 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 2864 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 3596 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3420 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3420 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe

"C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe

"C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe"

C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe

"C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 40365

C:\Windows\SysWOW64\findstr.exe

findstr /V "HopeBuildersGeniusIslam" Sonic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Beijing.pif s

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ddl.safone.dev udp
IE 52.212.52.84:80 ddl.safone.dev tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 84.52.212.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 45.250.179.95.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 51.18.21.65.in-addr.arpa udp
US 8.8.8.8:53 stagingbyvdveen.com udp
EE 147.45.60.44:80 stagingbyvdveen.com tcp
RU 185.215.113.17:80 185.215.113.17 tcp
US 8.8.8.8:53 44.60.45.147.in-addr.arpa udp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
US 8.8.8.8:53 jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 api.garageserviceoperation.com udp
US 8.8.8.8:53 cgil.in udp
IN 69.57.172.44:443 cgil.in tcp
US 8.8.8.8:53 44.172.57.69.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
NL 195.10.205.48:80 195.10.205.48 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 48.205.10.195.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 jirafasaltas.fun udp
US 104.21.57.227:443 jirafasaltas.fun tcp
US 8.8.8.8:53 abledzovmposia.shop udp
US 104.21.61.115:443 abledzovmposia.shop tcp
US 8.8.8.8:53 227.57.21.104.in-addr.arpa udp
US 8.8.8.8:53 115.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 104.21.58.213:443 locatedblsoqp.shop tcp
US 8.8.8.8:53 traineiwnqo.shop udp
US 172.67.177.240:443 traineiwnqo.shop tcp
US 8.8.8.8:53 213.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.177.67.172.in-addr.arpa udp
N/A 127.0.0.1:50987 tcp
N/A 127.0.0.1:50996 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 127.0.0.1:51001 tcp
N/A 127.0.0.1:51004 tcp
N/A 127.0.0.1:51006 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1608-0-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/1608-1-0x0000000077A34000-0x0000000077A36000-memory.dmp

memory/1608-2-0x0000000000F91000-0x0000000000FBF000-memory.dmp

memory/1608-3-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/1608-4-0x0000000000F90000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 bf7e6a36b168f8b9aac4e47fe6caae27
SHA1 45fa975387ab5a3799396da7ab405e7358dabdfe
SHA256 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
SHA512 84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96

memory/2864-18-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/1608-17-0x0000000000F90000-0x000000000143A000-memory.dmp

memory/2864-20-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/2864-19-0x0000000000701000-0x000000000072F000-memory.dmp

memory/2864-21-0x0000000000700000-0x0000000000BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

MD5 6134586375c01f97f8777bae1bf5ed98
SHA1 4787fa996b75dbc54632cc321725ee62666868a1
SHA256 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d
SHA512 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b

memory/2752-42-0x000000007353E000-0x000000007353F000-memory.dmp

memory/2752-43-0x0000000000B20000-0x0000000000B74000-memory.dmp

memory/2096-46-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2096-49-0x0000000005B00000-0x00000000060A4000-memory.dmp

memory/2096-50-0x0000000005630000-0x00000000056C2000-memory.dmp

memory/2096-51-0x00000000057C0000-0x00000000057CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp922E.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2096-68-0x0000000006370000-0x00000000063E6000-memory.dmp

memory/2096-69-0x0000000006A20000-0x0000000006A3E000-memory.dmp

memory/2096-72-0x00000000073B0000-0x00000000079C8000-memory.dmp

memory/2096-73-0x0000000008C30000-0x0000000008D3A000-memory.dmp

memory/2096-74-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/2096-75-0x0000000006DD0000-0x0000000006E0C000-memory.dmp

memory/2096-76-0x0000000006E40000-0x0000000006E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 8e74497aff3b9d2ddb7e7f819dfc69ba
SHA1 1d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256 d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA512 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

memory/4076-95-0x00000000003D0000-0x00000000004E2000-memory.dmp

memory/3920-99-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3920-97-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3920-102-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3920-101-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe

MD5 88367533c12315805c059e688e7cdfe9
SHA1 64a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256 c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA512 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe

MD5 30f46f4476cdc27691c7fdad1c255037
SHA1 b53415af5d01f8500881c06867a49a5825172e36
SHA256 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

memory/3920-122-0x0000000000400000-0x000000000050D000-memory.dmp

memory/5048-126-0x00000000009C0000-0x0000000000A12000-memory.dmp

memory/1824-127-0x0000000000FF0000-0x000000000107E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c186ecc3-67e4-4d2b-8682-b6c322da87aa

MD5 c723193da2e7a4665b199a8a680220ea
SHA1 b4351fc2e9b1fc9d212aa97db2d92ca9b12e7f60
SHA256 8a9aa5d97adcbc2ad4ef19826011012d8bafa275f5043b1a55b4e62602a40d40
SHA512 919926349b81a87a40a9681eaf1b4877d2567be727d6de52e1b12917630352876623b3abb3af7b74d7827e8bbdb564ee72957e686d27a40ff3ff4ef789641516

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 8864202c5fd6edef7dff9e7177d2d18b
SHA1 cdd76aaf0a9d2ea8bcdeaf336032add0ec405313
SHA256 3fb12096937620ecb84b306caabccdb902c67923299c433ee184cc75d4ea71c5
SHA512 fabc71dd02544a32d66fd08e75479805b42ebc1c33f7e64935e59aa7b8bf3e0085ff94e6171c5df88a80df49673dd494be6af3148f0972a2df5afcdd4de90de8

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 4107e62fd0aab27e26bb5935018cc2e6
SHA1 e6bd7391484ff88297953f313789485eb4f5ac28
SHA256 e414e76bf70e2261c8da9ba3736fcd978aee74c0eee8667931d7aed356a5ef1b
SHA512 56317293399a4fcd94752ec52061f2239a682d3a939b2a94f89cc8ccaf66575bd13e66295ac4326008fd9f35d0a3d77667425cfef21ec5eb7a8cbefd62927fe7

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/2260-190-0x00000000008F0000-0x0000000000B33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe

MD5 d5ed74dc7d1bea716c32ed5efaa8f625
SHA1 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9
SHA256 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7
SHA512 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d

memory/2864-198-0x0000000000700000-0x0000000000BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

MD5 7adfc6a2e7a5daa59d291b6e434a59f3
SHA1 e21ef8be7b78912bed36121404270e5597a3fe25
SHA256 fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA512 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

C:\Users\Admin\AppData\Local\Temp\Continues

MD5 2226738a67da04cef580c99f70b9a514
SHA1 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256 e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512 c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08

memory/1824-232-0x0000000008A90000-0x0000000008AF6000-memory.dmp

memory/2864-234-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/2260-235-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1824-253-0x000000000A3A0000-0x000000000A562000-memory.dmp

memory/1824-254-0x000000000AAA0000-0x000000000AFCC000-memory.dmp

memory/2864-255-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/2864-275-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/5048-276-0x00000000078C0000-0x0000000007910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sonic

MD5 1b5bba21607d9a9c3293ff564ecf4f1a
SHA1 de790d57fbfae12e649bf65fd9695e36a266696a
SHA256 fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512 b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a

C:\Users\Admin\AppData\Local\Temp\Corresponding

MD5 7eb7312237cf8653a876136046ce8b3e
SHA1 250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256 fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699

C:\Users\Admin\AppData\Local\Temp\Mr

MD5 0c3f23378f256b116fca366d08dbd146
SHA1 c6c92667dea09b7a4b2b00193ee043278854db1e
SHA256 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA512 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3

C:\Users\Admin\AppData\Local\Temp\Minister

MD5 97dd60ac57e3f1873f3120688d47cd3d
SHA1 e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a

C:\Users\Admin\AppData\Local\Temp\Template

MD5 0e70f873cb8f5615dd364325b714895a
SHA1 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA256 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4

C:\Users\Admin\AppData\Local\Temp\Continue

MD5 6184a8fc79d602bc18c0badb08598580
SHA1 de3a273e7020d43729044e41272c301118cc3641
SHA256 a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA512 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb

C:\Users\Admin\AppData\Local\Temp\Zinc

MD5 51143491656ae2ee983d709c45a41861
SHA1 1cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256 dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d

C:\Users\Admin\AppData\Local\Temp\Mobile

MD5 b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1 069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA256 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA512 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2

C:\Users\Admin\AppData\Local\Temp\Speak

MD5 0e16cafd2403c552149e325d90637d12
SHA1 efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA256 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA512 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec

C:\Users\Admin\AppData\Local\Temp\Dietary

MD5 30a3ed3849e36b4c26a02cf030ea985a
SHA1 d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA256 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\40365\s

MD5 30ab54ae1c615436d881fc336c264fef
SHA1 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256 ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA512 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2260-334-0x00000000008F0000-0x0000000000B33000-memory.dmp

memory/2864-336-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/2864-338-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/1656-339-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/1656-340-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/1656-341-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/1656-342-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/1656-344-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/1656-343-0x00000000045B0000-0x000000000461F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

MD5 304a5a222857d412cdd4effbb1ec170e
SHA1 34924c42524ca8e7fcc1fc604626d9c5f277dba2
SHA256 d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6
SHA512 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

memory/1656-363-0x00000000045B0000-0x000000000461F000-memory.dmp

memory/4784-376-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-375-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-377-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-374-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-373-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-372-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-370-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-364-0x0000000140000000-0x0000000140278000-memory.dmp

memory/4784-371-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2864-388-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/4784-389-0x0000000140000000-0x0000000140278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

MD5 7f7c9fc57f37c0c3149a94c813475a9d
SHA1 58c9ab2bd639c297cf0299d1de361ae1c930b498
SHA256 fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37
SHA512 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9

memory/4192-414-0x0000000000140000-0x00000000006D8000-memory.dmp

memory/4192-415-0x0000000005010000-0x00000000050AC000-memory.dmp

memory/4192-416-0x00000000051A0000-0x0000000005452000-memory.dmp

memory/4192-417-0x0000000004F40000-0x0000000004F62000-memory.dmp

memory/2232-418-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/2232-422-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/2232-420-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/4784-423-0x0000000000400000-0x0000000000E13000-memory.dmp

memory/4784-425-0x0000000140000000-0x0000000140278000-memory.dmp

memory/2040-435-0x0000000000700000-0x0000000000BAA000-memory.dmp

memory/2040-437-0x0000000000700000-0x0000000000BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

MD5 cfaf9b5fcc1f02a3bc79914a77a3b58d
SHA1 d492e02c731f9f2192bd64308b522eb93ae11000
SHA256 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202
SHA512 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

MD5 e6d4b7b529cc401a1c528e8833352039
SHA1 7b2837a2c9eea49e328a425db174a3b5c77d6bb5
SHA256 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c
SHA512 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe

MD5 d66b6390d1b5b309676b59d5017869a9
SHA1 b1821d78403faa151cd771a9df7e140b0ee686b8
SHA256 e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f
SHA512 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 db26309558628fa1ef6a1edd23ab2b09
SHA1 9bfb0530d0c2dcc6f9b3947bc3ca602943356368
SHA256 e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070
SHA512 4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in21gbuf.2io.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4724-590-0x000001C1231A0000-0x000001C1231C2000-memory.dmp

memory/1532-622-0x0000000000700000-0x0000000000BAA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 03:04

Reported

2024-08-30 03:06

Platform

win11-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detects Monster Stealer.

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Monster

stealer monster

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4968 created 3244 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE
PID 4968 created 3244 N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif C:\Windows\Explorer.EXE

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\EquationExplorer C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\HostelGalleries C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File opened for modification C:\Windows\ChestAntique C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\TreeProfessor C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\SysOrleans C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ConfiguringUps C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File opened for modification C:\Windows\ExplorerProprietary C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1412 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 3440 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 3440 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 3440 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
PID 3872 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3872 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3440 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3440 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3440 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3880 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3880 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 1120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe
PID 3756 wrote to memory of 1120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe
PID 3756 wrote to memory of 1120 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe
PID 3756 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe
PID 3756 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe
PID 3756 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe
PID 3440 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3440 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3440 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2628 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2628 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2628 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 3440 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 3440 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 3440 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 3440 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 3440 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 3440 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
PID 3772 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5036 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5036 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5036 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5036 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5036 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5036 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe

"C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe

"C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe"

C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe

"C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 40365

C:\Windows\SysWOW64\findstr.exe

findstr /V "HopeBuildersGeniusIslam" Sonic

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

Beijing.pif s

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1232

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 ddl.safone.dev udp
IE 63.32.161.232:80 ddl.safone.dev tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.161.32.63.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
EE 147.45.60.44:80 stagingbyvdveen.com tcp
FI 95.216.107.53:12311 tcp
IN 69.57.172.44:443 cgil.in tcp
NL 195.10.205.48:80 195.10.205.48 tcp
US 104.26.9.59:443 api.myip.com tcp
US 34.117.59.81:443 ipinfo.io tcp
N/A 127.0.0.1:50269 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 104.21.61.115:443 abledzovmposia.shop tcp
US 172.67.207.182:443 locatedblsoqp.shop tcp
US 104.21.67.155:443 traineiwnqo.shop tcp
N/A 127.0.0.1:50278 tcp
N/A 127.0.0.1:50284 tcp
N/A 127.0.0.1:50287 tcp
N/A 127.0.0.1:50289 tcp
US 104.21.57.227:443 jirafasaltas.fun tcp

Files

memory/1412-0-0x0000000000FB0000-0x000000000145A000-memory.dmp

memory/1412-1-0x0000000077776000-0x0000000077778000-memory.dmp

memory/1412-2-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

memory/1412-3-0x0000000000FB0000-0x000000000145A000-memory.dmp

memory/1412-4-0x0000000000FB0000-0x000000000145A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 bf7e6a36b168f8b9aac4e47fe6caae27
SHA1 45fa975387ab5a3799396da7ab405e7358dabdfe
SHA256 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
SHA512 84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96

memory/3440-17-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/1412-16-0x0000000000FB0000-0x000000000145A000-memory.dmp

memory/3440-20-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3440-19-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3440-21-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3440-22-0x0000000000E20000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe

MD5 6134586375c01f97f8777bae1bf5ed98
SHA1 4787fa996b75dbc54632cc321725ee62666868a1
SHA256 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d
SHA512 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b

memory/3872-43-0x000000007301E000-0x000000007301F000-memory.dmp

memory/3872-44-0x00000000001B0000-0x0000000000204000-memory.dmp

memory/3732-47-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3732-50-0x0000000005530000-0x0000000005AD6000-memory.dmp

memory/3732-51-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/3732-52-0x0000000004E50000-0x0000000004E5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpBBFD.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3732-67-0x0000000005BE0000-0x0000000005C56000-memory.dmp

memory/3732-68-0x0000000006240000-0x000000000625E000-memory.dmp

memory/3732-71-0x0000000006BD0000-0x00000000071E8000-memory.dmp

memory/3732-72-0x0000000008390000-0x000000000849A000-memory.dmp

memory/3732-73-0x0000000006B00000-0x0000000006B12000-memory.dmp

memory/3732-74-0x0000000006B60000-0x0000000006B9C000-memory.dmp

memory/3732-75-0x00000000084A0000-0x00000000084EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 8e74497aff3b9d2ddb7e7f819dfc69ba
SHA1 1d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256 d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA512 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

memory/3880-94-0x0000000000D80000-0x0000000000E92000-memory.dmp

memory/3756-96-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3756-98-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3756-100-0x0000000000400000-0x000000000050D000-memory.dmp

memory/3756-101-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe

MD5 88367533c12315805c059e688e7cdfe9
SHA1 64a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256 c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA512 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe

MD5 30f46f4476cdc27691c7fdad1c255037
SHA1 b53415af5d01f8500881c06867a49a5825172e36
SHA256 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

memory/3756-121-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2400-126-0x0000000000FC0000-0x0000000001012000-memory.dmp

memory/1120-125-0x0000000000090000-0x000000000011E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-970747758-134341002-3585657277-1000\76b53b3ec448f7ccdda2063b15d2bfc3_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8

MD5 814e367595f6229a0f138cb5679ec0d9
SHA1 21516c47bc7a4c45c3c8891c03799b39a9439448
SHA256 b7838e26a9913485e542029c6bf89aedc0ec6d225116672f11a8f83c335545e1
SHA512 1a6366e75767f5178ab257028867a710710f3169b52b8ee33b302a48531ae7c4e1821e119e631da6d92e4222a8cb73aa2a6036922dfab6f936dc14cc016d6db4

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 79127da9b8a3515f95006b299d439bc8
SHA1 c46ef4b557dd83b160979147a54217c5e58d96af
SHA256 9cdff8eee9ef029758bd9eadf098c016c200f00bac2b60409df38b53889bcfaa
SHA512 b6d77afd0af78dadcc96999a39c8d287f8dba2a56317df0c81bddb3e099f10cf136f55919c12c0114a40c32a812b78f3c1878789b773f13631b9d76fca67ed23

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 1619a079d726750da59fe3541598e4d7
SHA1 39b6507cb57e8a864514612c22f453b76fb4839a
SHA256 bc7aff36b1b9954a9b0729ee1bc2dd5478618b019afc9c5f683bc4aaf51b2f95
SHA512 9e0c1f5f80571b694665fcf5b868565505c0f9c3897e94f66f6f9f702028000a834d010e85017142e7ba079fc472c82f4c948134c9ce94e274dceada1b7b5730

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/4364-186-0x00000000006F0000-0x0000000000933000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe

MD5 d5ed74dc7d1bea716c32ed5efaa8f625
SHA1 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9
SHA256 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7
SHA512 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d

memory/3440-195-0x0000000000E20000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe

MD5 7adfc6a2e7a5daa59d291b6e434a59f3
SHA1 e21ef8be7b78912bed36121404270e5597a3fe25
SHA256 fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA512 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

memory/3440-206-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/1120-219-0x0000000007C70000-0x0000000007CD6000-memory.dmp

memory/4364-220-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Continues

MD5 2226738a67da04cef580c99f70b9a514
SHA1 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4
SHA256 e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1
SHA512 c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08

memory/1120-267-0x00000000092D0000-0x0000000009492000-memory.dmp

memory/1120-268-0x0000000009AD0000-0x0000000009FFC000-memory.dmp

memory/3440-269-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3440-270-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3440-274-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/3732-278-0x0000000009190000-0x00000000091E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sonic

MD5 1b5bba21607d9a9c3293ff564ecf4f1a
SHA1 de790d57fbfae12e649bf65fd9695e36a266696a
SHA256 fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e
SHA512 b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a

C:\Users\Admin\AppData\Local\Temp\Corresponding

MD5 7eb7312237cf8653a876136046ce8b3e
SHA1 250d61e72b9a6d0d436e04b569459bb69bb2ab9e
SHA256 fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725
SHA512 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699

C:\Users\Admin\AppData\Local\Temp\Mr

MD5 0c3f23378f256b116fca366d08dbd146
SHA1 c6c92667dea09b7a4b2b00193ee043278854db1e
SHA256 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65
SHA512 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3

C:\Users\Admin\AppData\Local\Temp\Template

MD5 0e70f873cb8f5615dd364325b714895a
SHA1 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7
SHA256 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94
SHA512 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4

C:\Users\Admin\AppData\Local\Temp\Zinc

MD5 51143491656ae2ee983d709c45a41861
SHA1 1cf8eb8d13246195cfc6168524d212c9a65b4681
SHA256 dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81
SHA512 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d

C:\Users\Admin\AppData\Local\Temp\Mobile

MD5 b81b3a6c6725be1cdd528e5fb3a9aa07
SHA1 069d5fd30b48bf5345d21c2af0106325e9372c8f
SHA256 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84
SHA512 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2

C:\Users\Admin\AppData\Local\Temp\Speak

MD5 0e16cafd2403c552149e325d90637d12
SHA1 efe1e6af41751ca9978c3a21c82ef135a8846f21
SHA256 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0
SHA512 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec

C:\Users\Admin\AppData\Local\Temp\Dietary

MD5 30a3ed3849e36b4c26a02cf030ea985a
SHA1 d3d29d3ba2c033d0abb6105cd274001e65d07f4e
SHA256 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca
SHA512 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d

C:\Users\Admin\AppData\Local\Temp\Minister

MD5 97dd60ac57e3f1873f3120688d47cd3d
SHA1 e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736
SHA256 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452
SHA512 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a

C:\Users\Admin\AppData\Local\Temp\Continue

MD5 6184a8fc79d602bc18c0badb08598580
SHA1 de3a273e7020d43729044e41272c301118cc3641
SHA256 a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7
SHA512 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb

C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\40365\s

MD5 30ab54ae1c615436d881fc336c264fef
SHA1 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1
SHA256 ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db
SHA512 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4364-334-0x00000000006F0000-0x0000000000933000-memory.dmp

memory/3440-335-0x0000000000E20000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe

MD5 304a5a222857d412cdd4effbb1ec170e
SHA1 34924c42524ca8e7fcc1fc604626d9c5f277dba2
SHA256 d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6
SHA512 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f

memory/3128-354-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-366-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-367-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-365-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-364-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-363-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-362-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-360-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-361-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3128-380-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3440-387-0x0000000000E20000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe

MD5 7f7c9fc57f37c0c3149a94c813475a9d
SHA1 58c9ab2bd639c297cf0299d1de361ae1c930b498
SHA256 fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37
SHA512 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9

memory/4644-406-0x0000000000F40000-0x00000000014D8000-memory.dmp

memory/4644-407-0x0000000005F20000-0x0000000005FBC000-memory.dmp

memory/4644-408-0x0000000005FC0000-0x0000000006272000-memory.dmp

memory/4644-409-0x0000000005E30000-0x0000000005E52000-memory.dmp

memory/3728-410-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/3728-412-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/3728-414-0x0000000000400000-0x00000000005DF000-memory.dmp

memory/3128-415-0x0000000000400000-0x0000000000E13000-memory.dmp

memory/4968-416-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-417-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-418-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-419-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-420-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-421-0x0000000004500000-0x000000000456F000-memory.dmp

memory/4968-422-0x0000000004500000-0x000000000456F000-memory.dmp

memory/3128-424-0x0000000140000000-0x0000000140278000-memory.dmp

memory/3440-431-0x0000000000E20000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe

MD5 cfaf9b5fcc1f02a3bc79914a77a3b58d
SHA1 d492e02c731f9f2192bd64308b522eb93ae11000
SHA256 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202
SHA512 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3

C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe

MD5 e6d4b7b529cc401a1c528e8833352039
SHA1 7b2837a2c9eea49e328a425db174a3b5c77d6bb5
SHA256 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c
SHA512 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe

MD5 d66b6390d1b5b309676b59d5017869a9
SHA1 b1821d78403faa151cd771a9df7e140b0ee686b8
SHA256 e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f
SHA512 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

MD5 b98d491ead30f30e61bc3e865ab72f18
SHA1 db165369b7f2ae513b51c4f3def9ea2668268221
SHA256 35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98
SHA512 044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 a33481b308bc347cac2e395b7ff3532a
SHA1 fd6a52ce42334a2286d8e1807619afc12593111f
SHA256 6909d34d9fbe1e8b19456853f3080f897d7e40bc84db970413fd3083073c83aa
SHA512 a19ea96ac4f90f11162724c73cfe51bbe49e675d0677e25273a910db7edddeb3768291ecd6d19326afdbb181219cdf04661f3ad261c8230e487c13f45603bf83

C:\Users\Admin\AppData\Local\Temp\Web.db

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti33s5yk.t0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4504-577-0x000001542CEC0000-0x000001542CEE2000-memory.dmp

memory/1732-587-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/5036-629-0x0000000000E20000-0x00000000012CA000-memory.dmp

memory/5036-631-0x0000000000E20000-0x00000000012CA000-memory.dmp