Analysis Overview
SHA256
2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12
Threat Level: Known bad
The file 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Stealc
Exela Stealer
Lumma Stealer, LummaC
RedLine
RedLine payload
Monster
Amadey
Detects Monster Stealer.
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Downloads MZ/PE file
Modifies Windows Firewall
Clipboard Data
Reads user/profile data of web browsers
Drops startup file
Reads data files stored by FTP clients
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Network Service Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Hide Artifacts: Hidden Files and Directories
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Permission Groups Discovery: Local Groups
Program crash
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Embeds OpenSSL
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Kills process with taskkill
Runs net.exe
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Gathers system information
Suspicious use of WriteProcessMemory
Collects information from the system
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-30 03:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 03:04
Reported
2024-08-30 03:06
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Amadey
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Exela Stealer
Lumma Stealer, LummaC
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1656 created 3332 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 1656 created 3332 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4076 set thread context of 3920 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4192 set thread context of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4632 set thread context of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
"C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
"C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe"
C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
"C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\findstr.exe
findstr /V "HopeBuildersGeniusIslam" Sonic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ddl.safone.dev | udp |
| IE | 52.212.52.84:80 | ddl.safone.dev | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.52.212.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stagingbyvdveen.com | udp |
| EE | 147.45.60.44:80 | stagingbyvdveen.com | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 8.8.8.8:53 | 44.60.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jSbXVBiItIINfreBHvLPHxDRe.jSbXVBiItIINfreBHvLPHxDRe | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.garageserviceoperation.com | udp |
| US | 8.8.8.8:53 | cgil.in | udp |
| IN | 69.57.172.44:443 | cgil.in | tcp |
| US | 8.8.8.8:53 | 44.172.57.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| NL | 195.10.205.48:80 | 195.10.205.48 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 48.205.10.195.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jirafasaltas.fun | udp |
| US | 104.21.57.227:443 | jirafasaltas.fun | tcp |
| US | 8.8.8.8:53 | abledzovmposia.shop | udp |
| US | 104.21.61.115:443 | abledzovmposia.shop | tcp |
| US | 8.8.8.8:53 | 227.57.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 104.21.58.213:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 172.67.177.240:443 | traineiwnqo.shop | tcp |
| US | 8.8.8.8:53 | 213.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.177.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:50987 | tcp | |
| N/A | 127.0.0.1:50996 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:51001 | tcp | |
| N/A | 127.0.0.1:51004 | tcp | |
| N/A | 127.0.0.1:51006 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1608-0-0x0000000000F90000-0x000000000143A000-memory.dmp
memory/1608-1-0x0000000077A34000-0x0000000077A36000-memory.dmp
memory/1608-2-0x0000000000F91000-0x0000000000FBF000-memory.dmp
memory/1608-3-0x0000000000F90000-0x000000000143A000-memory.dmp
memory/1608-4-0x0000000000F90000-0x000000000143A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | bf7e6a36b168f8b9aac4e47fe6caae27 |
| SHA1 | 45fa975387ab5a3799396da7ab405e7358dabdfe |
| SHA256 | 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12 |
| SHA512 | 84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96 |
memory/2864-18-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/1608-17-0x0000000000F90000-0x000000000143A000-memory.dmp
memory/2864-20-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/2864-19-0x0000000000701000-0x000000000072F000-memory.dmp
memory/2864-21-0x0000000000700000-0x0000000000BAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
| MD5 | 6134586375c01f97f8777bae1bf5ed98 |
| SHA1 | 4787fa996b75dbc54632cc321725ee62666868a1 |
| SHA256 | 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d |
| SHA512 | 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b |
memory/2752-42-0x000000007353E000-0x000000007353F000-memory.dmp
memory/2752-43-0x0000000000B20000-0x0000000000B74000-memory.dmp
memory/2096-46-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2096-49-0x0000000005B00000-0x00000000060A4000-memory.dmp
memory/2096-50-0x0000000005630000-0x00000000056C2000-memory.dmp
memory/2096-51-0x00000000057C0000-0x00000000057CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp922E.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2096-68-0x0000000006370000-0x00000000063E6000-memory.dmp
memory/2096-69-0x0000000006A20000-0x0000000006A3E000-memory.dmp
memory/2096-72-0x00000000073B0000-0x00000000079C8000-memory.dmp
memory/2096-73-0x0000000008C30000-0x0000000008D3A000-memory.dmp
memory/2096-74-0x00000000072B0000-0x00000000072C2000-memory.dmp
memory/2096-75-0x0000000006DD0000-0x0000000006E0C000-memory.dmp
memory/2096-76-0x0000000006E40000-0x0000000006E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/4076-95-0x00000000003D0000-0x00000000004E2000-memory.dmp
memory/3920-99-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3920-97-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3920-102-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3920-101-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Avb8FRbpVj.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\IiFsNhvvfT.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/3920-122-0x0000000000400000-0x000000000050D000-memory.dmp
memory/5048-126-0x00000000009C0000-0x0000000000A12000-memory.dmp
memory/1824-127-0x0000000000FF0000-0x000000000107E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c186ecc3-67e4-4d2b-8682-b6c322da87aa
| MD5 | c723193da2e7a4665b199a8a680220ea |
| SHA1 | b4351fc2e9b1fc9d212aa97db2d92ca9b12e7f60 |
| SHA256 | 8a9aa5d97adcbc2ad4ef19826011012d8bafa275f5043b1a55b4e62602a40d40 |
| SHA512 | 919926349b81a87a40a9681eaf1b4877d2567be727d6de52e1b12917630352876623b3abb3af7b74d7827e8bbdb564ee72957e686d27a40ff3ff4ef789641516 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 8864202c5fd6edef7dff9e7177d2d18b |
| SHA1 | cdd76aaf0a9d2ea8bcdeaf336032add0ec405313 |
| SHA256 | 3fb12096937620ecb84b306caabccdb902c67923299c433ee184cc75d4ea71c5 |
| SHA512 | fabc71dd02544a32d66fd08e75479805b42ebc1c33f7e64935e59aa7b8bf3e0085ff94e6171c5df88a80df49673dd494be6af3148f0972a2df5afcdd4de90de8 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 4107e62fd0aab27e26bb5935018cc2e6 |
| SHA1 | e6bd7391484ff88297953f313789485eb4f5ac28 |
| SHA256 | e414e76bf70e2261c8da9ba3736fcd978aee74c0eee8667931d7aed356a5ef1b |
| SHA512 | 56317293399a4fcd94752ec52061f2239a682d3a939b2a94f89cc8ccaf66575bd13e66295ac4326008fd9f35d0a3d77667425cfef21ec5eb7a8cbefd62927fe7 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/2260-190-0x00000000008F0000-0x0000000000B33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe
| MD5 | d5ed74dc7d1bea716c32ed5efaa8f625 |
| SHA1 | 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9 |
| SHA256 | 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7 |
| SHA512 | 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d |
memory/2864-198-0x0000000000700000-0x0000000000BAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
C:\Users\Admin\AppData\Local\Temp\Continues
| MD5 | 2226738a67da04cef580c99f70b9a514 |
| SHA1 | 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4 |
| SHA256 | e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1 |
| SHA512 | c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08 |
memory/1824-232-0x0000000008A90000-0x0000000008AF6000-memory.dmp
memory/2864-234-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/2260-235-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1824-253-0x000000000A3A0000-0x000000000A562000-memory.dmp
memory/1824-254-0x000000000AAA0000-0x000000000AFCC000-memory.dmp
memory/2864-255-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/2864-275-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/5048-276-0x00000000078C0000-0x0000000007910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sonic
| MD5 | 1b5bba21607d9a9c3293ff564ecf4f1a |
| SHA1 | de790d57fbfae12e649bf65fd9695e36a266696a |
| SHA256 | fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e |
| SHA512 | b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a |
C:\Users\Admin\AppData\Local\Temp\Corresponding
| MD5 | 7eb7312237cf8653a876136046ce8b3e |
| SHA1 | 250d61e72b9a6d0d436e04b569459bb69bb2ab9e |
| SHA256 | fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725 |
| SHA512 | 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699 |
C:\Users\Admin\AppData\Local\Temp\Mr
| MD5 | 0c3f23378f256b116fca366d08dbd146 |
| SHA1 | c6c92667dea09b7a4b2b00193ee043278854db1e |
| SHA256 | 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65 |
| SHA512 | 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3 |
C:\Users\Admin\AppData\Local\Temp\Minister
| MD5 | 97dd60ac57e3f1873f3120688d47cd3d |
| SHA1 | e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736 |
| SHA256 | 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452 |
| SHA512 | 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a |
C:\Users\Admin\AppData\Local\Temp\Template
| MD5 | 0e70f873cb8f5615dd364325b714895a |
| SHA1 | 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7 |
| SHA256 | 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94 |
| SHA512 | 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4 |
C:\Users\Admin\AppData\Local\Temp\Continue
| MD5 | 6184a8fc79d602bc18c0badb08598580 |
| SHA1 | de3a273e7020d43729044e41272c301118cc3641 |
| SHA256 | a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7 |
| SHA512 | 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 51143491656ae2ee983d709c45a41861 |
| SHA1 | 1cf8eb8d13246195cfc6168524d212c9a65b4681 |
| SHA256 | dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81 |
| SHA512 | 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d |
C:\Users\Admin\AppData\Local\Temp\Mobile
| MD5 | b81b3a6c6725be1cdd528e5fb3a9aa07 |
| SHA1 | 069d5fd30b48bf5345d21c2af0106325e9372c8f |
| SHA256 | 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84 |
| SHA512 | 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2 |
C:\Users\Admin\AppData\Local\Temp\Speak
| MD5 | 0e16cafd2403c552149e325d90637d12 |
| SHA1 | efe1e6af41751ca9978c3a21c82ef135a8846f21 |
| SHA256 | 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0 |
| SHA512 | 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec |
C:\Users\Admin\AppData\Local\Temp\Dietary
| MD5 | 30a3ed3849e36b4c26a02cf030ea985a |
| SHA1 | d3d29d3ba2c033d0abb6105cd274001e65d07f4e |
| SHA256 | 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca |
| SHA512 | 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d |
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\40365\s
| MD5 | 30ab54ae1c615436d881fc336c264fef |
| SHA1 | 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1 |
| SHA256 | ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db |
| SHA512 | 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2260-334-0x00000000008F0000-0x0000000000B33000-memory.dmp
memory/2864-336-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/2864-338-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/1656-339-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/1656-340-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/1656-341-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/1656-342-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/1656-344-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/1656-343-0x00000000045B0000-0x000000000461F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
| MD5 | 304a5a222857d412cdd4effbb1ec170e |
| SHA1 | 34924c42524ca8e7fcc1fc604626d9c5f277dba2 |
| SHA256 | d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6 |
| SHA512 | 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f |
memory/1656-363-0x00000000045B0000-0x000000000461F000-memory.dmp
memory/4784-376-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-375-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-377-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-374-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-373-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-372-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-370-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-364-0x0000000140000000-0x0000000140278000-memory.dmp
memory/4784-371-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2864-388-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/4784-389-0x0000000140000000-0x0000000140278000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
| MD5 | 7f7c9fc57f37c0c3149a94c813475a9d |
| SHA1 | 58c9ab2bd639c297cf0299d1de361ae1c930b498 |
| SHA256 | fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37 |
| SHA512 | 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9 |
memory/4192-414-0x0000000000140000-0x00000000006D8000-memory.dmp
memory/4192-415-0x0000000005010000-0x00000000050AC000-memory.dmp
memory/4192-416-0x00000000051A0000-0x0000000005452000-memory.dmp
memory/4192-417-0x0000000004F40000-0x0000000004F62000-memory.dmp
memory/2232-418-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2232-422-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2232-420-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/4784-423-0x0000000000400000-0x0000000000E13000-memory.dmp
memory/4784-425-0x0000000140000000-0x0000000140278000-memory.dmp
memory/2040-435-0x0000000000700000-0x0000000000BAA000-memory.dmp
memory/2040-437-0x0000000000700000-0x0000000000BAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
| MD5 | cfaf9b5fcc1f02a3bc79914a77a3b58d |
| SHA1 | d492e02c731f9f2192bd64308b522eb93ae11000 |
| SHA256 | 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202 |
| SHA512 | 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3 |
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
| MD5 | e6d4b7b529cc401a1c528e8833352039 |
| SHA1 | 7b2837a2c9eea49e328a425db174a3b5c77d6bb5 |
| SHA256 | 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c |
| SHA512 | 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\stub.exe
| MD5 | d66b6390d1b5b309676b59d5017869a9 |
| SHA1 | b1821d78403faa151cd771a9df7e140b0ee686b8 |
| SHA256 | e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f |
| SHA512 | 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6 |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_3308_133694607180227528\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | db26309558628fa1ef6a1edd23ab2b09 |
| SHA1 | 9bfb0530d0c2dcc6f9b3947bc3ca602943356368 |
| SHA256 | e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070 |
| SHA512 | 4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in21gbuf.2io.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4724-590-0x000001C1231A0000-0x000001C1231C2000-memory.dmp
memory/1532-622-0x0000000000700000-0x0000000000BAA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 03:04
Reported
2024-08-30 03:06
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Exela Stealer
Monster
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4968 created 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
| PID 4968 created 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | C:\Windows\Explorer.EXE |
Credentials from Password Stores: Credentials from Web Browsers
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3872 set thread context of 3732 | N/A | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3880 set thread context of 3756 | N/A | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4644 set thread context of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2656 set thread context of 4444 | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\EquationExplorer | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\HostelGalleries | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| File opened for modification | C:\Windows\ChestAntique | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\TreeProfessor | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\SysOrleans | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ConfiguringUps | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File opened for modification | C:\Windows\ExplorerProprietary | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe
"C:\Users\Admin\AppData\Local\Temp\2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe
"C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe"
C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe
"C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Continues Continues.cmd & Continues.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 40365
C:\Windows\SysWOW64\findstr.exe
findstr /V "HopeBuildersGeniusIslam" Sonic
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Mr + ..\Minister + ..\Template + ..\Dietary + ..\Speak + ..\Mobile + ..\Zinc + ..\Continue s
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
Beijing.pif s
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Invitations" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\MindLynx.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindLynx.url" & exit
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
"C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
"C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('/start', 0, 'System Error', 0+16);close()"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1232
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | ddl.safone.dev | udp |
| IE | 63.32.161.232:80 | ddl.safone.dev | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.161.32.63.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| EE | 147.45.60.44:80 | stagingbyvdveen.com | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| IN | 69.57.172.44:443 | cgil.in | tcp |
| NL | 195.10.205.48:80 | 195.10.205.48 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 127.0.0.1:50269 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 104.21.61.115:443 | abledzovmposia.shop | tcp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| US | 104.21.67.155:443 | traineiwnqo.shop | tcp |
| N/A | 127.0.0.1:50278 | tcp | |
| N/A | 127.0.0.1:50284 | tcp | |
| N/A | 127.0.0.1:50287 | tcp | |
| N/A | 127.0.0.1:50289 | tcp | |
| US | 104.21.57.227:443 | jirafasaltas.fun | tcp |
Files
memory/1412-0-0x0000000000FB0000-0x000000000145A000-memory.dmp
memory/1412-1-0x0000000077776000-0x0000000077778000-memory.dmp
memory/1412-2-0x0000000000FB1000-0x0000000000FDF000-memory.dmp
memory/1412-3-0x0000000000FB0000-0x000000000145A000-memory.dmp
memory/1412-4-0x0000000000FB0000-0x000000000145A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | bf7e6a36b168f8b9aac4e47fe6caae27 |
| SHA1 | 45fa975387ab5a3799396da7ab405e7358dabdfe |
| SHA256 | 2d11a5d7f14523c93d9c1ebc4ed7d65e90a5fe4f3a6bda8efac5c632da92ed12 |
| SHA512 | 84eeee19b0fe0c0503c06e301e856951a244b4d554dd3e8164521525d6dd786cb884920a4f4706ce89d6e681c1346b6c0b1e9a7d81dd3ca6825e24f8c341fb96 |
memory/3440-17-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/1412-16-0x0000000000FB0000-0x000000000145A000-memory.dmp
memory/3440-20-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3440-19-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3440-21-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3440-22-0x0000000000E20000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
| MD5 | 6134586375c01f97f8777bae1bf5ed98 |
| SHA1 | 4787fa996b75dbc54632cc321725ee62666868a1 |
| SHA256 | 414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d |
| SHA512 | 652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b |
memory/3872-43-0x000000007301E000-0x000000007301F000-memory.dmp
memory/3872-44-0x00000000001B0000-0x0000000000204000-memory.dmp
memory/3732-47-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3732-50-0x0000000005530000-0x0000000005AD6000-memory.dmp
memory/3732-51-0x0000000004F80000-0x0000000005012000-memory.dmp
memory/3732-52-0x0000000004E50000-0x0000000004E5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpBBFD.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3732-67-0x0000000005BE0000-0x0000000005C56000-memory.dmp
memory/3732-68-0x0000000006240000-0x000000000625E000-memory.dmp
memory/3732-71-0x0000000006BD0000-0x00000000071E8000-memory.dmp
memory/3732-72-0x0000000008390000-0x000000000849A000-memory.dmp
memory/3732-73-0x0000000006B00000-0x0000000006B12000-memory.dmp
memory/3732-74-0x0000000006B60000-0x0000000006B9C000-memory.dmp
memory/3732-75-0x00000000084A0000-0x00000000084EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/3880-94-0x0000000000D80000-0x0000000000E92000-memory.dmp
memory/3756-96-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3756-98-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3756-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/3756-101-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\oIg7NK0Sgt.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\PnJgDxsuFN.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/3756-121-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2400-126-0x0000000000FC0000-0x0000000001012000-memory.dmp
memory/1120-125-0x0000000000090000-0x000000000011E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-970747758-134341002-3585657277-1000\76b53b3ec448f7ccdda2063b15d2bfc3_99ef8723-b5cb-4d6a-b7a3-7e98e5e6f2a8
| MD5 | 814e367595f6229a0f138cb5679ec0d9 |
| SHA1 | 21516c47bc7a4c45c3c8891c03799b39a9439448 |
| SHA256 | b7838e26a9913485e542029c6bf89aedc0ec6d225116672f11a8f83c335545e1 |
| SHA512 | 1a6366e75767f5178ab257028867a710710f3169b52b8ee33b302a48531ae7c4e1821e119e631da6d92e4222a8cb73aa2a6036922dfab6f936dc14cc016d6db4 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 79127da9b8a3515f95006b299d439bc8 |
| SHA1 | c46ef4b557dd83b160979147a54217c5e58d96af |
| SHA256 | 9cdff8eee9ef029758bd9eadf098c016c200f00bac2b60409df38b53889bcfaa |
| SHA512 | b6d77afd0af78dadcc96999a39c8d287f8dba2a56317df0c81bddb3e099f10cf136f55919c12c0114a40c32a812b78f3c1878789b773f13631b9d76fca67ed23 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 1619a079d726750da59fe3541598e4d7 |
| SHA1 | 39b6507cb57e8a864514612c22f453b76fb4839a |
| SHA256 | bc7aff36b1b9954a9b0729ee1bc2dd5478618b019afc9c5f683bc4aaf51b2f95 |
| SHA512 | 9e0c1f5f80571b694665fcf5b868565505c0f9c3897e94f66f6f9f702028000a834d010e85017142e7ba079fc472c82f4c948134c9ce94e274dceada1b7b5730 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/4364-186-0x00000000006F0000-0x0000000000933000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Set-up+%282%29.exe
| MD5 | d5ed74dc7d1bea716c32ed5efaa8f625 |
| SHA1 | 69b28bac3fdb3dd6cf7748af00fc433391e8aeb9 |
| SHA256 | 5458848903d44a7340933dd519e21a8305bd6f78bd9a98fb1e79c7395255b9f7 |
| SHA512 | 05d5d3feb3c27360f5f1e2fc4fc8ab8f98d1db1824f609f763d78c3b5d360335bd1a715fc27bef13ebe3c3b8323b601e99ccf7d1b404de25951849f9b436061d |
memory/3440-195-0x0000000000E20000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\runtime.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
memory/3440-206-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/1120-219-0x0000000007C70000-0x0000000007CD6000-memory.dmp
memory/4364-220-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Continues
| MD5 | 2226738a67da04cef580c99f70b9a514 |
| SHA1 | 48bbfbfdce94231ebc1833b87ff6e79aa716e3b4 |
| SHA256 | e04a1b86ce1a5352f7c3a5ddb8b500993f4342ef4e188ed156009e5271795af1 |
| SHA512 | c653aafd3aa2d320eef1d5b9cf9e58372e778c41147c3d85bcb6e231c8703d19f410ebb2f58f2a9f0671f027fce2baeeec70252e926bb9880128ba6dcedfdb08 |
memory/1120-267-0x00000000092D0000-0x0000000009492000-memory.dmp
memory/1120-268-0x0000000009AD0000-0x0000000009FFC000-memory.dmp
memory/3440-269-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3440-270-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3440-274-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/3732-278-0x0000000009190000-0x00000000091E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sonic
| MD5 | 1b5bba21607d9a9c3293ff564ecf4f1a |
| SHA1 | de790d57fbfae12e649bf65fd9695e36a266696a |
| SHA256 | fc6ba37a8bfe546d8186e92c2f729080b00d4371ef2e8e3a18ec66acc1cf199e |
| SHA512 | b9e23dd79986397c9fe5c1ac150c60c8993f89488645f06e0865abb2491dc3b9949867753d76cab34352445459601c339a6f78ff8b48323951638f9666d6a74a |
C:\Users\Admin\AppData\Local\Temp\Corresponding
| MD5 | 7eb7312237cf8653a876136046ce8b3e |
| SHA1 | 250d61e72b9a6d0d436e04b569459bb69bb2ab9e |
| SHA256 | fa349d460b066e9b325db200251ae35892353462c352728cfb0fa405c293f725 |
| SHA512 | 778fbbec7cd5c9d2aa3623f73604fd7a6e98d3673b50ab7e8ac54c8aa3d955c103d7cdc0838e00f256ade000c979860bf54d3d2b36dd3dcd4fe8fca9f1c82699 |
C:\Users\Admin\AppData\Local\Temp\Mr
| MD5 | 0c3f23378f256b116fca366d08dbd146 |
| SHA1 | c6c92667dea09b7a4b2b00193ee043278854db1e |
| SHA256 | 5defb1b1225282e2ab46d4257416334b5344e5b0a020b4b7900436c59684de65 |
| SHA512 | 0db03b484ce0849bd005ec962e69fea3f8b728739e622ad57519e9411d5257026938b9eb8db050bb355a624f34b19bfe0e0fb8af888bab99d4febb5ec89381f3 |
C:\Users\Admin\AppData\Local\Temp\Template
| MD5 | 0e70f873cb8f5615dd364325b714895a |
| SHA1 | 089a8f5d7d90e7eedd6d02e30aa458440c89d7a7 |
| SHA256 | 4734d4d0626e140398a788226a5985e814bbd674f4218b60a89fd2da8f4ceb94 |
| SHA512 | 867dbac35991b2222f5fb4f5fc6dca4640b386356dff12322fdc06bb05b8af7c438e15f9fc6b4d4cedc27f081480d4187c1b4007831d9a052c3beda8d3c56ac4 |
C:\Users\Admin\AppData\Local\Temp\Zinc
| MD5 | 51143491656ae2ee983d709c45a41861 |
| SHA1 | 1cf8eb8d13246195cfc6168524d212c9a65b4681 |
| SHA256 | dc4aac8b9eb62788bd04316293cde7e3d839e828e3e3082a2d81922ca8a94c81 |
| SHA512 | 239f2903b3b5177b32971ae3eb3eab2cc4c3d7856a3839f184c7f59b7e3cd53de4dac3363519e82acd183e564ae688dc8a7e5097c1283699714584ee13bed67d |
C:\Users\Admin\AppData\Local\Temp\Mobile
| MD5 | b81b3a6c6725be1cdd528e5fb3a9aa07 |
| SHA1 | 069d5fd30b48bf5345d21c2af0106325e9372c8f |
| SHA256 | 08e8e54417a8e7007aeedb0399f4e549fc31aaf6031416c8d30306fe350c1f84 |
| SHA512 | 7a04ee23c0b3d832fa518390253c0153829e7ab0907209dc67c5eae687ad648ab18aa7d064e544c1da3b03cc610ed10fe63a73fc5aaa129402a561843aa975e2 |
C:\Users\Admin\AppData\Local\Temp\Speak
| MD5 | 0e16cafd2403c552149e325d90637d12 |
| SHA1 | efe1e6af41751ca9978c3a21c82ef135a8846f21 |
| SHA256 | 93ddbcd9109129656049162e3f6a8d9fffdc5a3da262e0a2bf2bc4624014f7b0 |
| SHA512 | 0251de7abb9a4457cf16dab0b1e88d0897c5b6655cdf27b9c298c1796925ea2514cd2f065106eccd56b97a6804e84f459806d528837bf9718c7c9e525f7159ec |
C:\Users\Admin\AppData\Local\Temp\Dietary
| MD5 | 30a3ed3849e36b4c26a02cf030ea985a |
| SHA1 | d3d29d3ba2c033d0abb6105cd274001e65d07f4e |
| SHA256 | 6d86469ced96b57db84de11f9eac77c8076a3bfa65942776f7cc50625fbd31ca |
| SHA512 | 158aabac6f79393a2a7faed30693f78191bf97771a6125229873abedceef71d5df7d5bb934fdfa1ff4c683df49a158e5ba3efea9a4dd10dce8ba24b3c4fc507d |
C:\Users\Admin\AppData\Local\Temp\Minister
| MD5 | 97dd60ac57e3f1873f3120688d47cd3d |
| SHA1 | e8941900dac0dd9b9ac4b7a08d3ace40c3cc9736 |
| SHA256 | 526b6cbf430fc40eb8d23cd2c4ee1c81e04a2c9e01167370527f19465f67c452 |
| SHA512 | 831eb3f1bd352173db735e4f5e2a4c9380006e3146ecd466b415d7ef7e2c0a345b4da0ebc0415043a9599859e2fb2a131e8d3fc5012d1ccc7473b0ebd4fd076a |
C:\Users\Admin\AppData\Local\Temp\Continue
| MD5 | 6184a8fc79d602bc18c0badb08598580 |
| SHA1 | de3a273e7020d43729044e41272c301118cc3641 |
| SHA256 | a8181f349864c6c9a216935894392b75d0d1430d43a255ff3a9ad56c325487e7 |
| SHA512 | 41687b30ecd957eb1b6d332133f1c1d7e01cc1c8bf56526dfa20de3937ed549133e93872380e3b51b63b33134c62d4df91c7e08e908ca18b3e6f9d52e89378cb |
C:\Users\Admin\AppData\Local\Temp\40365\Beijing.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\40365\s
| MD5 | 30ab54ae1c615436d881fc336c264fef |
| SHA1 | 7e2a049923d49ae5859d2a0aa3a7dd092e672bd1 |
| SHA256 | ff64ae2a70b07eba7678241a8fa20f3569a03cc5cdc087306a4451acd97ee2db |
| SHA512 | 1af06fd6d67c59df3a32fbc4c12e8788f5e3b46a1ca2e1ddc8bc9926d1bacb0b702f2d88e950fc04145d3b904e60e8910acf6fc0f87bd676459b10fc25707be9 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4364-334-0x00000000006F0000-0x0000000000933000-memory.dmp
memory/3440-335-0x0000000000E20000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe
| MD5 | 304a5a222857d412cdd4effbb1ec170e |
| SHA1 | 34924c42524ca8e7fcc1fc604626d9c5f277dba2 |
| SHA256 | d67fb52973c445a3488a9d6a9a9ff3ebebb05b1c0e853cebfa8bba1a5953f0d6 |
| SHA512 | 208b39436b520e909eb8262f68314dcb93852ea5f00a1d4ce8bd682dd5e20ad313e65ff293c8062bfed95ffe101f6ead3d7da4886e779031101329a3764b855f |
memory/3128-354-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-366-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-367-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-365-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-364-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-363-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-362-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-360-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-361-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3128-380-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3440-387-0x0000000000E20000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000223001\openvpn12.exe
| MD5 | 7f7c9fc57f37c0c3149a94c813475a9d |
| SHA1 | 58c9ab2bd639c297cf0299d1de361ae1c930b498 |
| SHA256 | fcf4028d1c45c10edae760c507bfc3b6d7418ba2c38dbcf0759016412aee5d37 |
| SHA512 | 6a373b550a4567d6d0e93e7203df097de8beb64a7ddb1cc347458a3c580d33980244eca966995e0cf39a717efcea71c44c09b2cde5864ff16cde3961b3bf99f9 |
memory/4644-406-0x0000000000F40000-0x00000000014D8000-memory.dmp
memory/4644-407-0x0000000005F20000-0x0000000005FBC000-memory.dmp
memory/4644-408-0x0000000005FC0000-0x0000000006272000-memory.dmp
memory/4644-409-0x0000000005E30000-0x0000000005E52000-memory.dmp
memory/3728-410-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3728-412-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3728-414-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3128-415-0x0000000000400000-0x0000000000E13000-memory.dmp
memory/4968-416-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-417-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-418-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-419-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-420-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-421-0x0000000004500000-0x000000000456F000-memory.dmp
memory/4968-422-0x0000000004500000-0x000000000456F000-memory.dmp
memory/3128-424-0x0000000140000000-0x0000000140278000-memory.dmp
memory/3440-431-0x0000000000E20000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000225001\WASSetup.exe
| MD5 | cfaf9b5fcc1f02a3bc79914a77a3b58d |
| SHA1 | d492e02c731f9f2192bd64308b522eb93ae11000 |
| SHA256 | 087ae7982356ee1cd621ddcbc31f7ef94f66887026d8baea672ee446266f3202 |
| SHA512 | 56c0f76bbb3ebc0623e33b3a3dcd1d33b04286b9b2fcd6ee5304f6d75cac1d7eb8b8bea601673c4b4248b73de2598c45bc3f940858840d8e42b34cf89f6941f3 |
C:\Users\Admin\AppData\Local\Temp\1000226001\build.exe
| MD5 | e6d4b7b529cc401a1c528e8833352039 |
| SHA1 | 7b2837a2c9eea49e328a425db174a3b5c77d6bb5 |
| SHA256 | 8f7f41837b9cc115588a83268e8f240149e07859eb1a811aaf135c03d14dbe0c |
| SHA512 | 35804a8eb6c31da2b8d36518bd1c2e9afeb5efbb522f2fc47b8d4ba83fb525bd65210732aa4823d7da8aa4f8b5accb4817588a8e103ab7a10e87a585d6cf4ea3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\stub.exe
| MD5 | d66b6390d1b5b309676b59d5017869a9 |
| SHA1 | b1821d78403faa151cd771a9df7e140b0ee686b8 |
| SHA256 | e3499112471e1fee441ff5ea3302661d6089c46d45922a1aaca547712352702f |
| SHA512 | 55f6a8dd7e2fd783469bd608348f659aa28c3ceec3f4fe0fa3ac362d745da0a3e518efff2c54e550102cb8b008617d24ca4bb7169ace5ecc0b6c856be61770d6 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\python310.dll
| MD5 | c80b5cb43e5fe7948c3562c1fff1254e |
| SHA1 | f73cb1fb9445c96ecd56b984a1822e502e71ab9d |
| SHA256 | 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20 |
| SHA512 | faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 87596db63925dbfe4d5f0f36394d7ab0 |
| SHA1 | ad1dd48bbc078fe0a2354c28cb33f92a7e64907e |
| SHA256 | 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4 |
| SHA512 | e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_bz2.pyd
| MD5 | a4b636201605067b676cc43784ae5570 |
| SHA1 | e9f49d0fc75f25743d04ce23c496eb5f89e72a9a |
| SHA256 | f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c |
| SHA512 | 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_sqlite3.pyd
| MD5 | 7f61eacbbba2ecf6bf4acf498fa52ce1 |
| SHA1 | 3174913f971d031929c310b5e51872597d613606 |
| SHA256 | 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e |
| SHA512 | a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd
| MD5 | b98d491ead30f30e61bc3e865ab72f18 |
| SHA1 | db165369b7f2ae513b51c4f3def9ea2668268221 |
| SHA256 | 35d5aeb890b99e6bae3e6b863313fbc8a1a554acbcd416fe901b1e1ae2993c98 |
| SHA512 | 044c9c39bddb13020ed865d3aa30926460ae6ded5fdea59eca2b1cf6a4ded55728d883f19ee0749f95a4d93f66e04fcc62bc3be67119c4ccabd17b003cf5f3c4 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\sqlite3.dll
| MD5 | 926dc90bd9faf4efe1700564aa2a1700 |
| SHA1 | 763e5af4be07444395c2ab11550c70ee59284e6d |
| SHA256 | 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0 |
| SHA512 | a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556 |
C:\Users\Admin\AppData\Local\Temp\onefile_3536_133694606957855102\_lzma.pyd
| MD5 | b5fbc034ad7c70a2ad1eb34d08b36cf8 |
| SHA1 | 4efe3f21be36095673d949cceac928e11522b29c |
| SHA256 | 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6 |
| SHA512 | e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | a33481b308bc347cac2e395b7ff3532a |
| SHA1 | fd6a52ce42334a2286d8e1807619afc12593111f |
| SHA256 | 6909d34d9fbe1e8b19456853f3080f897d7e40bc84db970413fd3083073c83aa |
| SHA512 | a19ea96ac4f90f11162724c73cfe51bbe49e675d0677e25273a910db7edddeb3768291ecd6d19326afdbb181219cdf04661f3ad261c8230e487c13f45603bf83 |
C:\Users\Admin\AppData\Local\Temp\Web.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti33s5yk.t0j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4504-577-0x000001542CEC0000-0x000001542CEE2000-memory.dmp
memory/1732-587-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/5036-629-0x0000000000E20000-0x00000000012CA000-memory.dmp
memory/5036-631-0x0000000000E20000-0x00000000012CA000-memory.dmp