Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
3c068f1e2d2b3a52f24a641a127e2034
-
SHA1
9c9e1f4f52b82067c06811ade34903073afa8f7d
-
SHA256
6b145fe49cdcb76b2f6d3aa8109654eca5575a91ba6600adac8854671044f45a
-
SHA512
e0478644e127db7f082eb2e1e610134d7f3084bb1028634bef55bdbd6a46eaf19035458b82500989b8c4c50cd705bd915c54c2d53d1090ce5a1e3b226a2ffaa4
-
SSDEEP
49152:IDbL46qozidCP2wl/fxd4nV9CcIOizG77FnNZJqJ:I/M6Jids2wjdGf3iq77FnzJq
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Extracted
redline
bundle
185.215.113.67:15206
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/5068-45-0x0000000000400000-0x0000000000452000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\AdTxpR8EGb.exe family_redline behavioral2/memory/4372-123-0x0000000000BD0000-0x0000000000C22000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe family_redline behavioral2/memory/1816-343-0x0000000000930000-0x0000000000982000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs
Processes:
RMS1.exedescription pid process target process PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE PID 5084 created 3464 5084 RMS1.exe Explorer.EXE -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplong.exefile.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exefile.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nework.exefile.exeaxplong.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Nework.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 18 IoCs
Processes:
axplong.exegold.execrypteda.exeGE0iK7c4Rc.exeAdTxpR8EGb.exeNework.exeHkbsse.exestealc_default2.exeaxplong.exeHkbsse.exeneedmoney.exesvchost015.exepenis.exebundle.exeacentric.exeRMS1.exeHkbsse.exeaxplong.exepid process 3932 axplong.exe 2728 gold.exe 3696 crypteda.exe 4080 GE0iK7c4Rc.exe 4372 AdTxpR8EGb.exe 4104 Nework.exe 2756 Hkbsse.exe 4456 stealc_default2.exe 2076 axplong.exe 2844 Hkbsse.exe 2796 needmoney.exe 4876 svchost015.exe 856 penis.exe 1816 bundle.exe 4360 acentric.exe 5084 RMS1.exe 4572 Hkbsse.exe 2004 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
file.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe -
Loads dropped DLL 2 IoCs
Processes:
stealc_default2.exepid process 4456 stealc_default2.exe 4456 stealc_default2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
acentric.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" acentric.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
file.exeaxplong.exeaxplong.exeaxplong.exepid process 3148 file.exe 3932 axplong.exe 2076 axplong.exe 2004 axplong.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
gold.execrypteda.exeneedmoney.exeRMS1.exedescription pid process target process PID 2728 set thread context of 5068 2728 gold.exe RegAsm.exe PID 3696 set thread context of 432 3696 crypteda.exe RegAsm.exe PID 2796 set thread context of 4876 2796 needmoney.exe svchost015.exe PID 5084 set thread context of 3580 5084 RMS1.exe InstallUtil.exe -
Drops file in Windows directory 2 IoCs
Processes:
file.exeNework.exedescription ioc process File created C:\Windows\Tasks\axplong.job file.exe File created C:\Windows\Tasks\Hkbsse.job Nework.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Hkbsse.exesvchost015.exepenis.exebundle.exeRegAsm.exestealc_default2.exefile.exegold.exeRegAsm.exeGE0iK7c4Rc.exeNework.exeneedmoney.exeaxplong.execrypteda.exeAdTxpR8EGb.exeacentric.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language penis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bundle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GE0iK7c4Rc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language needmoney.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdTxpR8EGb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acentric.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
penis.exestealc_default2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 penis.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 penis.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier penis.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz penis.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor penis.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information penis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString penis.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exeaxplong.exeRegAsm.exeGE0iK7c4Rc.exestealc_default2.exeAdTxpR8EGb.exeaxplong.exeaxplong.exeacentric.exepid process 3148 file.exe 3148 file.exe 3932 axplong.exe 3932 axplong.exe 5068 RegAsm.exe 5068 RegAsm.exe 4080 GE0iK7c4Rc.exe 4080 GE0iK7c4Rc.exe 4456 stealc_default2.exe 4456 stealc_default2.exe 4372 AdTxpR8EGb.exe 4372 AdTxpR8EGb.exe 5068 RegAsm.exe 5068 RegAsm.exe 5068 RegAsm.exe 5068 RegAsm.exe 4372 AdTxpR8EGb.exe 4372 AdTxpR8EGb.exe 4372 AdTxpR8EGb.exe 4372 AdTxpR8EGb.exe 2076 axplong.exe 2076 axplong.exe 4456 stealc_default2.exe 4456 stealc_default2.exe 2004 axplong.exe 2004 axplong.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe 4360 acentric.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
GE0iK7c4Rc.exeRegAsm.exeAdTxpR8EGb.exeRMS1.exeacentric.exepowershell.exedescription pid process Token: SeDebugPrivilege 4080 GE0iK7c4Rc.exe Token: SeBackupPrivilege 4080 GE0iK7c4Rc.exe Token: SeSecurityPrivilege 4080 GE0iK7c4Rc.exe Token: SeSecurityPrivilege 4080 GE0iK7c4Rc.exe Token: SeSecurityPrivilege 4080 GE0iK7c4Rc.exe Token: SeSecurityPrivilege 4080 GE0iK7c4Rc.exe Token: SeDebugPrivilege 5068 RegAsm.exe Token: SeDebugPrivilege 4372 AdTxpR8EGb.exe Token: SeDebugPrivilege 5084 RMS1.exe Token: SeDebugPrivilege 4360 acentric.exe Token: SeDebugPrivilege 5084 RMS1.exe Token: SeDebugPrivilege 1652 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
file.exepid process 3148 file.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeaxplong.exegold.execrypteda.exeRegAsm.exeNework.exeneedmoney.exedescription pid process target process PID 3148 wrote to memory of 3932 3148 file.exe axplong.exe PID 3148 wrote to memory of 3932 3148 file.exe axplong.exe PID 3148 wrote to memory of 3932 3148 file.exe axplong.exe PID 3932 wrote to memory of 2728 3932 axplong.exe gold.exe PID 3932 wrote to memory of 2728 3932 axplong.exe gold.exe PID 3932 wrote to memory of 2728 3932 axplong.exe gold.exe PID 2728 wrote to memory of 2864 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 2864 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 2864 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 2728 wrote to memory of 5068 2728 gold.exe RegAsm.exe PID 3932 wrote to memory of 3696 3932 axplong.exe crypteda.exe PID 3932 wrote to memory of 3696 3932 axplong.exe crypteda.exe PID 3932 wrote to memory of 3696 3932 axplong.exe crypteda.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 3696 wrote to memory of 432 3696 crypteda.exe RegAsm.exe PID 432 wrote to memory of 4080 432 RegAsm.exe GE0iK7c4Rc.exe PID 432 wrote to memory of 4080 432 RegAsm.exe GE0iK7c4Rc.exe PID 432 wrote to memory of 4080 432 RegAsm.exe GE0iK7c4Rc.exe PID 432 wrote to memory of 4372 432 RegAsm.exe AdTxpR8EGb.exe PID 432 wrote to memory of 4372 432 RegAsm.exe AdTxpR8EGb.exe PID 432 wrote to memory of 4372 432 RegAsm.exe AdTxpR8EGb.exe PID 3932 wrote to memory of 4104 3932 axplong.exe Nework.exe PID 3932 wrote to memory of 4104 3932 axplong.exe Nework.exe PID 3932 wrote to memory of 4104 3932 axplong.exe Nework.exe PID 4104 wrote to memory of 2756 4104 Nework.exe Hkbsse.exe PID 4104 wrote to memory of 2756 4104 Nework.exe Hkbsse.exe PID 4104 wrote to memory of 2756 4104 Nework.exe Hkbsse.exe PID 3932 wrote to memory of 4456 3932 axplong.exe stealc_default2.exe PID 3932 wrote to memory of 4456 3932 axplong.exe stealc_default2.exe PID 3932 wrote to memory of 4456 3932 axplong.exe stealc_default2.exe PID 3932 wrote to memory of 2796 3932 axplong.exe needmoney.exe PID 3932 wrote to memory of 2796 3932 axplong.exe needmoney.exe PID 3932 wrote to memory of 2796 3932 axplong.exe needmoney.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 2796 wrote to memory of 4876 2796 needmoney.exe svchost015.exe PID 3932 wrote to memory of 856 3932 axplong.exe penis.exe PID 3932 wrote to memory of 856 3932 axplong.exe penis.exe PID 3932 wrote to memory of 856 3932 axplong.exe penis.exe PID 3932 wrote to memory of 1816 3932 axplong.exe bundle.exe PID 3932 wrote to memory of 1816 3932 axplong.exe bundle.exe PID 3932 wrote to memory of 1816 3932 axplong.exe bundle.exe PID 3932 wrote to memory of 4360 3932 axplong.exe acentric.exe PID 3932 wrote to memory of 4360 3932 axplong.exe acentric.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2864
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Roaming\GE0iK7c4Rc.exe"C:\Users\Admin\AppData\Roaming\GE0iK7c4Rc.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Users\Admin\AppData\Roaming\AdTxpR8EGb.exe"C:\Users\Admin\AppData\Roaming\AdTxpR8EGb.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:856 -
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3752
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2776
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4500
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4416
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1724
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3508
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3156
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:220
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4080
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:852
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:324
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3000
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3776
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2872
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1904
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1744
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4688
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4756
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1736
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1260
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2096
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2204
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2860
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1780
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4560
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1404
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3896
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1408
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4648
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3496
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4160
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:640
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4152
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:988
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3840
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4488
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4612
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2360
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4480
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2132
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:5080
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:5104
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1016
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2068
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2464
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1048
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:392
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1036
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2620
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3208
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3824
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3720
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:5076
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2000
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3352
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2484
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3332
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1220
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1396
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4752
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4768
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4284
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4340
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3628
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:464
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:532
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4920
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2948
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:536
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4788
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3880
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3872
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3940
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4352
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4520
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2844
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3608
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1128
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4184
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4528
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1364
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4696
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4616
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2624
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:384
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3664
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2328
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2760
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3780
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4952
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2396
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:2708
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3128
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:4748
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3148
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1624
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3316
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:368
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:1148
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe' -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:3772
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:4220
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2028
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:3472
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2504
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:4588
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:1972
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2844
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4572
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
313KB
MD52d647cf43622ed10b6d733bb5f048fc3
SHA16b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA25641426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA51262400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
3.6MB
MD54e30c35be46df08098c89f7126f84a62
SHA1046fafcca22ff95942b5e389274145c13676e910
SHA256f0a44e2dc77549bbfe6e02d6b66e819ee50df7ce9dcec6276db404266df06590
SHA51219311e2cf0b057985a55e9cc5f2e9f6fd50ea7c48e6731cb14bb9314b5ae2cc5da5a52219f62e1076523e8ce6dd3f46088101b408dc6728c26454bd145bd895e
-
Filesize
3.6MB
MD57e6a519688246fe1180f35fe0d25d370
SHA18e8719ac897dfef7305311dc216f570af40709af
SHA25632a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a
SHA512a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972
-
Filesize
3.5MB
MD50faa6e1a78e6bb809eb5a7cdcdf68e17
SHA1f1ba39e702710365c345ab034bcd1a6d5ec8d4ad
SHA2569d6966889f6ec503ae2bd99c666b55429d1835e538e1ac15f06c3524241c0c92
SHA512261cd43b42ccbe7b6b393d454270dd22110c062632707f73bf045f91aee0f09b4387cac8ba7a9275b1ddaa427240606f654f74224fe6fcd38c8ae40b3c4f8ee7
-
Filesize
304KB
MD530daa686c1f31cc4833bd3d7283d8cdc
SHA170f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA5129f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
Filesize
454KB
MD537d198ad751d31a71acc9cb28ed0c64e
SHA18eb519b7a6df66d84c566605da9a0946717a921d
SHA2561ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA51260923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
-
Filesize
1.4MB
MD503b1ed4c105e5f473357dad1df17cf98
SHA1faf5046ff19eafd3a59dcf85be30496f90b5b6b1
SHA2566be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba
SHA5123f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765
-
Filesize
1.8MB
MD53c068f1e2d2b3a52f24a641a127e2034
SHA19c9e1f4f52b82067c06811ade34903073afa8f7d
SHA2566b145fe49cdcb76b2f6d3aa8109654eca5575a91ba6600adac8854671044f45a
SHA512e0478644e127db7f082eb2e1e610134d7f3084bb1028634bef55bdbd6a46eaf19035458b82500989b8c4c50cd705bd915c54c2d53d1090ce5a1e3b226a2ffaa4
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1b74ca46-c49b-4c52-a57d-8cd1ff70c625
Filesize2KB
MD5e5be5b7a69a95caa603c03b297545d56
SHA102961de04e862be8ffbbb9b6466d058bae1c71ea
SHA25601fd15992a82d4b7de666dce6dd3331180ab422103c7903fda21fe8535338eba
SHA512c6ba6f2840abb058876d81b419d3c9914dea2a945a90ae79aa8aa69e8160784bc7041d09e312918ed87c744ed1e214854dd1dcf67cd1e4be4ad0538a36bf55fb
-
Filesize
2KB
MD5aa60d7755d5a23aaba15d7e1555aa410
SHA186161ac3fc74599ef77c21e6d4525d4d2407a330
SHA256a9d7cb990c537410262c28d8017bd8c2ffbdcc9850133a81bf3cc5100f090e4e
SHA5122e51315c3704d082686ee84b93ea15e623e785280051e6482e172ddd9fa76c0234303132dbdff4174972877c00b004c43289782e1b27417ab863d852c8ae35e2
-
Filesize
2KB
MD5fba612eeb015040e2746998f014d48bb
SHA16a0b6255fd631eeb7a3e5c8378e71410464608a6
SHA256efed14402dbda73ef60c40cde4d6095269dd87531980a735f3bb35ad4b598a89
SHA5123370be0f65c58366664475d361be58253ad5eb8e8924f820c36b7f5a6980f420548152e2962efd4e2f20435b7e1003c896cc00f2df2185947edcb4ca6d34d1db