Malware Analysis Report

2024-10-19 02:37

Sample ID 240907-r4bhwayfmn
Target 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456
SHA256 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456
Tags
amadey cryptbot lumma redline stealc zharkbot @cloudytteam bundle default default2 fed3aa livetraffic botnet credential_access defense_evasion discovery evasion execution infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456

Threat Level: Known bad

The file 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456 was found to be: Known bad.

Malicious Activity Summary

amadey cryptbot lumma redline stealc zharkbot @cloudytteam bundle default default2 fed3aa livetraffic botnet credential_access defense_evasion discovery evasion execution infostealer persistence spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

ZharkBot

Stealc

CryptBot

RedLine

Amadey

RedLine payload

Detects ZharkBot payload

Lumma Stealer, LummaC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Reads data files stored by FTP clients

Checks computer location settings

Checks BIOS information in registry

Unsecured Credentials: Credentials In Files

Drops startup file

Indirect Command Execution

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-07 14:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-07 14:44

Reported

2024-09-07 14:46

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

CryptBot

spyware stealer cryptbot

Detects ZharkBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3860 created 3468 N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif C:\Windows\Explorer.EXE
PID 3860 created 3468 N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif C:\Windows\Explorer.EXE

ZharkBot

botnet zharkbot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Lighter Tech\runtime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost015.exe N/A
N/A N/A C:\Users\Admin\1000238002\Amadeus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe N/A
N/A N/A C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA469.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\Pictures\Lighter Tech\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Indirect Command Execution

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe" C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\"" C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4460 set thread context of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 set thread context of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 set thread context of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 2156 set thread context of 432 N/A C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5004 set thread context of 912 N/A C:\Users\Admin\1000238002\Amadeus.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 4740 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2596 set thread context of 1176 N/A C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1828 set thread context of 5176 N/A C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif
PID 232 set thread context of 5296 N/A C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6092 set thread context of 2720 N/A C:\Users\Admin\Pictures\Lighter Tech\runtime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ChipsCounted C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
File opened for modification C:\Windows\MaximizeRepresentative C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
File opened for modification C:\Windows\ChristmasHerbal C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
File opened for modification C:\Windows\LadySquare C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
File opened for modification C:\Windows\PrerequisiteCents C:\Users\Admin\AppData\Local\Temp\filename.exe N/A
File created C:\Windows\Tasks\bDxiLwhXhHymEtvbIE.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000238002\Amadeus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSA469.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 452 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 452 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 452 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 452 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 452 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 452 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3944 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe
PID 2100 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe
PID 2100 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe
PID 2100 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe
PID 2100 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe
PID 452 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 452 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 452 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2216 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2216 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2216 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 452 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 452 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 452 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 452 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
PID 452 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
PID 452 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe
PID 452 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 452 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 452 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 3340 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe C:\Users\Admin\AppData\Local\Temp\svchost015.exe
PID 452 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\1000238002\Amadeus.exe
PID 452 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\1000238002\Amadeus.exe
PID 452 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\1000238002\Amadeus.exe
PID 452 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
PID 452 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe
PID 452 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 452 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
PID 452 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe

"C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe

"C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe"

C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe

"C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe

"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\1000238002\Amadeus.exe

"C:\Users\Admin\1000238002\Amadeus.exe"

C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe"

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"

C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe

"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe

"C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe

"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"

C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe

"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe

"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"

C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe

"C:\Users\Admin\AppData\Roaming\NPqcpcuVNB.exe"

C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe

"C:\Users\Admin\AppData\Roaming\tFtzeaz0BT.exe"

C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe

"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"

C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe

"C:\Users\Admin\AppData\Local\Temp\1000265001\broadcom5.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe

"C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Users\Admin\AppData\Local\Temp\filename.exe

"C:\Users\Admin\AppData\Local\Temp\filename.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Investigations Investigations.bat & Investigations.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 684126

C:\Windows\SysWOW64\findstr.exe

findstr /V "VegetablesIndividualBindingGba" Ever

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C

C:\Users\Admin\AppData\Local\Temp\684126\Intake.pif

Intake.pif C

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 590819

C:\Windows\SysWOW64\findstr.exe

findstr /V "MEDICAIDGROUPSSHARPGOVERNOR" Novels

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Sheet + ..\Drums + ..\Actually + ..\Mls + ..\Real + ..\Zoophilia + ..\Ah + ..\Opposed + ..\Affiliated y

C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif

Associates.pif y

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe

"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"

C:\Users\Admin\AppData\Local\Temp\7zSA469.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe

.\Install.exe /PdidSen "385107" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe

"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 492

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe

"C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bDxiLwhXhHymEtvbIE" /SC once /ST 14:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe\" Jk /djdidPGu 385107 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe

"C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe"

C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif

C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\Pictures\Lighter Tech\runtime.exe

"C:\Users\Admin\Pictures\Lighter Tech\runtime.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5176 -ip 5176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5176 -ip 5176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1000300001\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\Admin\Pictures\Lighter Tech\runtime.exe" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 45.250.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
FI 65.21.18.51:45580 tcp
US 8.8.8.8:53 51.18.21.65.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.17:80 185.215.113.17 tcp
US 8.8.8.8:53 fivev5sb.top udp
RU 195.133.48.136:80 fivev5sb.top tcp
US 8.8.8.8:53 136.48.133.195.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.215.113.67:15206 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
FI 95.216.143.20:12695 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 20.143.216.95.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 millyscroqwp.shop udp
US 104.21.84.66:443 millyscroqwp.shop tcp
US 8.8.8.8:53 66.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 condedqpwqm.shop udp
US 104.21.10.172:443 condedqpwqm.shop tcp
TM 91.202.233.158:80 91.202.233.158 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 172.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.233.202.91.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
FI 65.21.18.51:45580 tcp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 softonic-pc.ru udp
RU 37.140.192.11:443 softonic-pc.ru tcp
US 8.8.8.8:53 11.192.140.37.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 104.21.84.66:443 millyscroqwp.shop tcp
US 8.8.8.8:53 240902175059845.std.kqve01.top udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 104.21.10.172:443 condedqpwqm.shop tcp
CH 179.43.188.227:80 240902175059845.std.kqve01.top tcp
NL 45.200.149.147:80 45.200.149.147 tcp
US 8.8.8.8:53 227.188.43.179.in-addr.arpa udp
US 8.8.8.8:53 147.149.200.45.in-addr.arpa udp
RU 194.58.114.223:80 194.58.114.223 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 223.114.58.194.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN udp
US 8.8.8.8:53 DGLQIQwMnon.DGLQIQwMnon udp
US 8.8.8.8:53 thizx13vt.top udp
US 103.130.147.211:80 103.130.147.211 tcp
US 8.8.8.8:53 211.147.130.103.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 thirtv13pt.top udp
RU 195.133.13.230:80 thirtv13pt.top tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 230.13.133.195.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
RU 185.215.113.19:80 185.215.113.19 tcp
US 8.8.8.8:53 femininedspzmhu.shop udp
US 104.21.66.172:443 femininedspzmhu.shop tcp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 104.21.10.172:443 condedqpwqm.shop tcp
US 8.8.8.8:53 172.66.21.104.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
NL 45.200.149.147:27667 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2820-0-0x0000000000020000-0x00000000004C6000-memory.dmp

memory/2820-1-0x0000000077744000-0x0000000077746000-memory.dmp

memory/2820-2-0x0000000000021000-0x000000000004F000-memory.dmp

memory/2820-3-0x0000000000020000-0x00000000004C6000-memory.dmp

memory/2820-4-0x0000000000020000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 59953a2ace8d80a3eac87bb37cf35871
SHA1 f22821242ad268998f04a52f46ce23bf1d0bddd3
SHA256 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456
SHA512 87e266458db8c1c39d4f4473b7933c30f60964f2246727c48f44b4bcfa83e3207bc660f887148316c0a09681b9795276fe25acea94b5324e1760d5a1472969f8

memory/2820-17-0x0000000000020000-0x00000000004C6000-memory.dmp

memory/452-18-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/452-19-0x0000000000791000-0x00000000007BF000-memory.dmp

memory/452-20-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/452-21-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/452-22-0x0000000000790000-0x0000000000C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 2d647cf43622ed10b6d733bb5f048fc3
SHA1 6b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA256 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA512 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a

memory/4460-43-0x000000007335E000-0x000000007335F000-memory.dmp

memory/4460-44-0x0000000000140000-0x0000000000194000-memory.dmp

memory/2428-46-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2428-48-0x0000000005070000-0x0000000005614000-memory.dmp

memory/2428-49-0x0000000004AC0000-0x0000000004B52000-memory.dmp

memory/2428-50-0x0000000004C50000-0x0000000004C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp8B96.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2428-67-0x0000000005720000-0x0000000005796000-memory.dmp

memory/2428-68-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

memory/2428-71-0x0000000006840000-0x0000000006E58000-memory.dmp

memory/2428-72-0x0000000006330000-0x000000000643A000-memory.dmp

memory/2428-73-0x0000000006270000-0x0000000006282000-memory.dmp

memory/2428-74-0x00000000062D0000-0x000000000630C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 8e74497aff3b9d2ddb7e7f819dfc69ba
SHA1 1d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256 d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA512 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

memory/2428-90-0x0000000006440000-0x000000000648C000-memory.dmp

memory/3944-94-0x00000000009B0000-0x0000000000AC2000-memory.dmp

memory/2100-96-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2100-100-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2100-99-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2100-97-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\07DD4GXsP3.exe

MD5 88367533c12315805c059e688e7cdfe9
SHA1 64a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256 c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA512 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

C:\Users\Admin\AppData\Roaming\egKXRnvmfw.exe

MD5 30f46f4476cdc27691c7fdad1c255037
SHA1 b53415af5d01f8500881c06867a49a5825172e36
SHA256 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

memory/2100-121-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2808-124-0x0000000000C90000-0x0000000000CE2000-memory.dmp

memory/4016-126-0x0000000000B70000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\76b53b3ec448f7ccdda2063b15d2bfc3_c186ecc3-67e4-4d2b-8682-b6c322da87aa

MD5 c8c18bedbb9223d97674afd056fbad36
SHA1 fd231cd340d23c0d6d6dde8d0af43b937d1f618e
SHA256 dd37b70933da899f3b5436440a8ee9d9756813d8d8ef1ce0b558bfd1c25c766d
SHA512 3550c4a994cb3662b5b28a0b709766d9be536dd8528f5327f8ffe0e1d6ee0f8e9ec0b67b37bd08000289d075715493eab43dbb21b7da68842e1127c74541f051

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 8864202c5fd6edef7dff9e7177d2d18b
SHA1 cdd76aaf0a9d2ea8bcdeaf336032add0ec405313
SHA256 3fb12096937620ecb84b306caabccdb902c67923299c433ee184cc75d4ea71c5
SHA512 fabc71dd02544a32d66fd08e75479805b42ebc1c33f7e64935e59aa7b8bf3e0085ff94e6171c5df88a80df49673dd494be6af3148f0972a2df5afcdd4de90de8

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 4107e62fd0aab27e26bb5935018cc2e6
SHA1 e6bd7391484ff88297953f313789485eb4f5ac28
SHA256 e414e76bf70e2261c8da9ba3736fcd978aee74c0eee8667931d7aed356a5ef1b
SHA512 56317293399a4fcd94752ec52061f2239a682d3a939b2a94f89cc8ccaf66575bd13e66295ac4326008fd9f35d0a3d77667425cfef21ec5eb7a8cbefd62927fe7

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/452-163-0x0000000000790000-0x0000000000C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/452-189-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/452-191-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/1484-190-0x00000000002A0000-0x00000000004E3000-memory.dmp

memory/452-195-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/4016-196-0x0000000008DA0000-0x0000000008E06000-memory.dmp

memory/4016-197-0x000000000A1E0000-0x000000000A3A2000-memory.dmp

memory/4016-198-0x000000000A8E0000-0x000000000AE0C000-memory.dmp

memory/2428-201-0x00000000067B0000-0x0000000006800000-memory.dmp

memory/452-202-0x0000000000790000-0x0000000000C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe

MD5 45b55d1e5d2bf60cc572f541ae6fa7d1
SHA1 2329f56147a299bcdbf20520e626cc8253e49a8d
SHA256 039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8
SHA512 5483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe

MD5 7e6a519688246fe1180f35fe0d25d370
SHA1 8e8719ac897dfef7305311dc216f570af40709af
SHA256 32a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a
SHA512 a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972

memory/1444-240-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1444-243-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3340-245-0x0000000000400000-0x000000000079D000-memory.dmp

memory/1444-244-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

MD5 b826dd92d78ea2526e465a34324ebeea
SHA1 bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA512 1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

memory/1484-246-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/452-269-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/2288-280-0x0000000000400000-0x0000000001069000-memory.dmp

C:\Users\Admin\1000238002\Amadeus.exe

MD5 36a627b26fae167e6009b4950ff15805
SHA1 f3cb255ab3a524ee05c8bab7b4c01c202906b801
SHA256 a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a
SHA512 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

C:\Users\Admin\AppData\Local\Temp\1000243001\runtime.exe

MD5 b73cf29c0ea647c353e4771f0697c41f
SHA1 3e5339b80dcfbdc80d946fc630c657654ef58de7
SHA256 edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd
SHA512 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8

memory/2156-322-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/1444-323-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe

MD5 03cf06e01384018ac325de8bc160b4b2
SHA1 1853505e502b392fd556a9ce6050207230cc70cd
SHA256 5ab3785b2b72eaf7edff8961eb8ff8dd3dc6cc7031bc96ceb06a899b6fb3bbbc
SHA512 be1f2cf898db93e96e8817bf2d0ab0ef0f49d5bba4efba2de4046f6b381e8eda6ff5fcfdc057b6cbc4de5b3a7b096612c1e0d6b0d395ee685b3844ba5dc0e1b6

memory/3684-346-0x0000000000030000-0x00000000000C0000-memory.dmp

memory/452-347-0x0000000000790000-0x0000000000C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe

MD5 30daa686c1f31cc4833bd3d7283d8cdc
SHA1 70f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256 504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA512 9f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9

memory/4008-369-0x0000000000580000-0x00000000005D2000-memory.dmp

memory/4008-390-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/2288-391-0x0000000000400000-0x0000000001069000-memory.dmp

memory/3936-394-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/3936-396-0x0000000000790000-0x0000000000C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000260001\5KNCHALAH.exe

MD5 3f99c2698fc247d19dd7f42223025252
SHA1 043644883191079350b2f2ffbefef5431d768f99
SHA256 ba8561bf19251875a15471812042adac49f825c69c3087054889f6107297c6f3
SHA512 6a88d1049059bba8f0c9498762502e055107d9f82dbc0aacfdd1e1c138bdb875cf68c2b7998408f8235e53b2bb864ba6f43c249395640b62af305a62b9bfcd67

memory/2196-418-0x0000012758D90000-0x0000012758F2A000-memory.dmp

memory/2196-422-0x00000127736B0000-0x00000127737DA000-memory.dmp

memory/2196-432-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-456-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-454-0x00000127736B0000-0x00000127737D4000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2196-452-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-450-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-448-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-446-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2156-1519-0x000000001BDB0000-0x000000001BE20000-memory.dmp

memory/2196-1521-0x0000012773880000-0x00000127738CC000-memory.dmp

memory/2196-1520-0x00000127737E0000-0x0000012773884000-memory.dmp

memory/2156-1518-0x000000001B220000-0x000000001B2A4000-memory.dmp

memory/2196-444-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-442-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-440-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-438-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-436-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-434-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-430-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-428-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-426-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-424-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/2196-423-0x00000127736B0000-0x00000127737D4000-memory.dmp

memory/1484-1537-0x00000000002A0000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe

MD5 771b8e84ba4f0215298d9dadfe5a10bf
SHA1 0f5e4c440cd2e7b7d97723424ba9c56339036151
SHA256 3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0
SHA512 2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164

memory/3096-1558-0x0000000000580000-0x00000000005A0000-memory.dmp

memory/3096-1559-0x0000000000E10000-0x0000000000E16000-memory.dmp

memory/1444-1574-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\392887640118

MD5 ff40ec9dbc96e3a8a517dcfdc08d6ea3
SHA1 628f3c0beefcf1c0fcbc8af9fa4f43c596cfc73b
SHA256 fada68d6cd7155e33a70274f8f7b549fd6e7bff47a67b8d7832bbc4efc255da1
SHA512 1f8855f5923cbcc40749271eb854771627b2782e387d292f09c1d4d28566cf8f237284ac058c0102475e31c912aa88893593d61cdd085edde41174b21ac41a92

C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe

MD5 fd2defc436fc7960d6501a01c91d893e
SHA1 5faa092857c3c892eab49e7c0e5ac12d50bce506
SHA256 ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945
SHA512 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\Users\Admin\AppData\Local\Temp\1000226001\fikbbm0902845.exe

MD5 c965aa525ae4cfbc3b45c6b7e9271a59
SHA1 3a84d4c1c9277173b530263107af4caf1f61213f
SHA256 50ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e
SHA512 bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c

C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe

MD5 db2a12edc73769f2f2b6b01545afe2c3
SHA1 73dc44fb0753296f51b851299f468031ceb77b54
SHA256 e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
SHA512 dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4

C:\Users\Admin\AppData\Local\Temp\Luck

MD5 2dc7d0c0f159951f61bf3a13b09248fa
SHA1 096befa4fb246d61bce5143c841a4557ef2db783
SHA256 be3789def126bae2c4aab1f575cd5a0672ad622f6ebbafa1531a8b88b144beec
SHA512 bea4558dc80e80d1c7933472d2661a9a1759ea0f5ef86a6ebf48a5a828472cb6a22b2fbbe760c97a204530e03c9bd6700c64e0f66c6d12c52acaad0d95e9f38a

C:\Users\Admin\AppData\Local\Temp\filename.exe

MD5 0885bc5d9c2aa1895ebd5fcad13b53be
SHA1 ad559563e4e21cb7354a4692b31852839b0b22d7
SHA256 b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25
SHA512 91c73e9a3a74624dad400c0c5b7670b977946a06344782ca859be70578e64c2f0d4fdb3eadb70821168c64929a8bfe16a18fb10ba65bcd80e14701ef8c05091f

C:\Users\Admin\AppData\Local\Temp\590819\Associates.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe

MD5 20134f10fe5275891ee287c9b7f9bf62
SHA1 5f42316b48261176b65cb51e5d59c20e38cab03f
SHA256 bebe99bb379eca567b4ab4389a56580cd271fb6e184cd84149c4b304976b21da
SHA512 7cf9fdc588f94ebd89797982bd4c0d10b5853d05aedfcea037f4c4839a6c0a2f95292f2526675c8408367f7a58cf22d82a9746941ab71a296f44f32672ac9a42

memory/5688-1814-0x0000000000AB0000-0x000000000115B000-memory.dmp

memory/2276-1815-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

memory/2276-1816-0x00000000057B0000-0x0000000005DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3m30rkm4.nsf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2276-1823-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/2276-1822-0x0000000005E90000-0x0000000005EB2000-memory.dmp

memory/2276-1828-0x0000000006110000-0x0000000006464000-memory.dmp

memory/2276-1831-0x0000000006600000-0x000000000661E000-memory.dmp

memory/2276-1833-0x0000000006BE0000-0x0000000006C76000-memory.dmp

memory/2276-1834-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

memory/2276-1836-0x0000000006B50000-0x0000000006B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe

MD5 0ec1f7cc17b6402cd2df150e0e5e92ca
SHA1 8405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA256 4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA512 7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

memory/6024-1858-0x0000000006090000-0x00000000063E4000-memory.dmp

memory/6024-1868-0x0000000006D30000-0x0000000006D7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000296001\Channel3.exe

MD5 251026403399837fa07b9ca1481a2c77
SHA1 ada941cebcc0bb40105718cc6857f3bd597a067d
SHA256 8647df6e68b1c951961443dcce0cc03211d2ede60409ab0b448ac6df6f9cfed9
SHA512 6a509b2d07091f4433fae8fede1623a39633c430a0361dfdd7147f3e3853c06695fcc5a58f365a959586c132d08954d06d00c353a31edf24bfbb8a98bdc8e6b5

memory/5688-1905-0x0000000000AB0000-0x000000000115B000-memory.dmp

memory/1500-1914-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/1500-1916-0x0000000000790000-0x0000000000C36000-memory.dmp

memory/5508-1932-0x0000000000B80000-0x0000000000C0C000-memory.dmp

memory/5508-1934-0x0000000008460000-0x00000000084AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-07 14:44

Reported

2024-09-07 14:46

Platform

win11-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe

"C:\Users\Admin\AppData\Local\Temp\4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp

Files

memory/3112-0-0x0000000000920000-0x0000000000DC6000-memory.dmp

memory/3112-1-0x00000000772E6000-0x00000000772E8000-memory.dmp

memory/3112-2-0x0000000000921000-0x000000000094F000-memory.dmp

memory/3112-3-0x0000000000920000-0x0000000000DC6000-memory.dmp

memory/3112-4-0x0000000000920000-0x0000000000DC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 59953a2ace8d80a3eac87bb37cf35871
SHA1 f22821242ad268998f04a52f46ce23bf1d0bddd3
SHA256 4fe8a0e454dd7503f35f56e022cfef089a4477e906414663da459c27480c5456
SHA512 87e266458db8c1c39d4f4473b7933c30f60964f2246727c48f44b4bcfa83e3207bc660f887148316c0a09681b9795276fe25acea94b5324e1760d5a1472969f8

memory/3112-17-0x0000000000920000-0x0000000000DC6000-memory.dmp

memory/1608-18-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-20-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-19-0x0000000000D81000-0x0000000000DAF000-memory.dmp

memory/1608-21-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-22-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-23-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-24-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-25-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-26-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-27-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/2160-29-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/2160-30-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/2160-31-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/2160-33-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-34-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-35-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-36-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-37-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-38-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-39-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/2404-41-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-42-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-43-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-44-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-45-0x0000000000D80000-0x0000000001226000-memory.dmp

memory/1608-46-0x0000000000D80000-0x0000000001226000-memory.dmp