amadey | bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c

Analysis

max time kernel
299s
max time network
300s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Size

1.8MB
MD5

338fd6192a1bfaadbf72002bc5f8323e
SHA1

b465094f062d170487b50ae46b28325d4b156d58
SHA256

bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c
SHA512

bb0c58e71eccd9edf0acfb04cc23d4fc8d6250938a4ee0a42698ab53f07ebc66c1776b0e3d668e9aad0aab2c1e0e37261508013996b9ac0dea1fe77da992a167
SSDEEP

49152:wBxhTWeSd89d4s9Euz7orTXuk1rslL/eV:wgHdU1dzcr0lb

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

cryptbot

analforeverlovyu.top

tventyvf20vt.top

Attributes

url_path
/v1/upload.php

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/4744-362-0x0000000069CC0000-0x000000006A377000-memory.dmp	family_cryptbot_v3

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac39-87.dat	family_redline
behavioral2/memory/1520-95-0x0000000000120000-0x0000000000172000-memory.dmp	family_redline
behavioral2/memory/556-216-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	03110add73.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	df19b30cf0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	df19b30cf0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	03110add73.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	df19b30cf0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	03110add73.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqdqsd.vbs	app.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	context.exe

Executes dropped EXE 40 IoCs

pid	Process
3224	axplong.exe
3728	gold.exe
5028	legas.exe
3616	yiliXDtCuE.exe
5012	ANJKcmcBHG.exe
4188	stealc_default2.exe
1520	newbundle2.exe
4012	03110add73.exe
1204	df19b30cf0.exe
2496	skotes.exe
2900	MK.exe
4340	Nework.exe
2212	Hkbsse.exe
3216	processclass.exe
4444	splwow64.exe
4216	Set-up.exe
4804	axplong.exe
4476	skotes.exe
2660	Hkbsse.exe
4744	sadsay.exe
3292	out.exe
1200	context.exe
812	app.exe
5092	service123.exe
684	axplong.exe
4800	Hkbsse.exe
5008	skotes.exe
5520	service123.exe
2840	Hkbsse.exe
3204	skotes.exe
2184	axplong.exe
6024	service123.exe
5616	Hkbsse.exe
5796	skotes.exe
5512	axplong.exe
780	service123.exe
5964	skotes.exe
5732	axplong.exe
4012	Hkbsse.exe
3932	service123.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	03110add73.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	df19b30cf0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	skotes.exe

Loads dropped DLL 7 IoCs

pid	Process
4188	stealc_default2.exe
4188	stealc_default2.exe
5092	service123.exe
5520	service123.exe
6024	service123.exe
780	service123.exe
3932	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	out.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	out.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	out.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\03110add73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\03110add73.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\df19b30cf0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\df19b30cf0.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\DyPLcaj70O71FWj = "C:\\Users\\Public\\Scripts\\c1DrceUPMXsvORG.vbs"	out.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
3224	axplong.exe
4012	03110add73.exe
1204	df19b30cf0.exe
2496	skotes.exe
4804	axplong.exe
4476	skotes.exe
684	axplong.exe
5008	skotes.exe
2184	axplong.exe
3204	skotes.exe
5796	skotes.exe
5512	axplong.exe
5732	axplong.exe
5964	skotes.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 304	3728	gold.exe	74
PID 5028 set thread context of 4452	5028	legas.exe	79
PID 2900 set thread context of 556	2900	MK.exe	93
PID 4444 set thread context of 4668	4444	splwow64.exe	107
PID 1200 set thread context of 4032	1200	context.exe	117
PID 812 set thread context of 5076	812	app.exe	135

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
File created	C:\Windows\Tasks\skotes.job	df19b30cf0.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5164	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2616	3728	WerFault.exe	73
4984	5028	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03110add73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df19b30cf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sadsay.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sadsay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sadsay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2660	wmic.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
628	timeout.exe
2444	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	98	Go-http-client/1.1

Kills process with taskkill 2 IoCs

evasion

pid	Process
2900	taskkill.exe
2124	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	newbundle2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	newbundle2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5860	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5076	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
3224	axplong.exe
3224	axplong.exe
4188	stealc_default2.exe
4188	stealc_default2.exe
5012	ANJKcmcBHG.exe
4012	03110add73.exe
4012	03110add73.exe
3616	yiliXDtCuE.exe
3616	yiliXDtCuE.exe
1204	df19b30cf0.exe
1204	df19b30cf0.exe
2496	skotes.exe
2496	skotes.exe
4188	stealc_default2.exe
4188	stealc_default2.exe
556	RegAsm.exe
556	RegAsm.exe
556	RegAsm.exe
4804	axplong.exe
4804	axplong.exe
4476	skotes.exe
4476	skotes.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe
3292	out.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5012	ANJKcmcBHG.exe
Token: SeSecurityPrivilege	5012	ANJKcmcBHG.exe
Token: SeSecurityPrivilege	5012	ANJKcmcBHG.exe
Token: SeSecurityPrivilege	5012	ANJKcmcBHG.exe
Token: SeSecurityPrivilege	5012	ANJKcmcBHG.exe
Token: SeBackupPrivilege	3616	yiliXDtCuE.exe
Token: SeSecurityPrivilege	3616	yiliXDtCuE.exe
Token: SeSecurityPrivilege	3616	yiliXDtCuE.exe
Token: SeSecurityPrivilege	3616	yiliXDtCuE.exe
Token: SeSecurityPrivilege	3616	yiliXDtCuE.exe
Token: SeDebugPrivilege	5012	ANJKcmcBHG.exe
Token: SeDebugPrivilege	3616	yiliXDtCuE.exe
Token: SeDebugPrivilege	556	RegAsm.exe
Token: SeDebugPrivilege	3216	processclass.exe
Token: SeDebugPrivilege	4444	splwow64.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3292	out.exe
Token: SeIncreaseQuotaPrivilege	3932	wmic.exe
Token: SeSecurityPrivilege	3932	wmic.exe
Token: SeTakeOwnershipPrivilege	3932	wmic.exe
Token: SeLoadDriverPrivilege	3932	wmic.exe
Token: SeSystemProfilePrivilege	3932	wmic.exe
Token: SeSystemtimePrivilege	3932	wmic.exe
Token: SeProfSingleProcessPrivilege	3932	wmic.exe
Token: SeIncBasePriorityPrivilege	3932	wmic.exe
Token: SeCreatePagefilePrivilege	3932	wmic.exe
Token: SeBackupPrivilege	3932	wmic.exe
Token: SeRestorePrivilege	3932	wmic.exe
Token: SeShutdownPrivilege	3932	wmic.exe
Token: SeDebugPrivilege	3932	wmic.exe
Token: SeSystemEnvironmentPrivilege	3932	wmic.exe
Token: SeRemoteShutdownPrivilege	3932	wmic.exe
Token: SeUndockPrivilege	3932	wmic.exe
Token: SeManageVolumePrivilege	3932	wmic.exe
Token: 33	3932	wmic.exe
Token: 34	3932	wmic.exe
Token: 35	3932	wmic.exe
Token: 36	3932	wmic.exe
Token: SeIncreaseQuotaPrivilege	3932	wmic.exe
Token: SeSecurityPrivilege	3932	wmic.exe
Token: SeTakeOwnershipPrivilege	3932	wmic.exe
Token: SeLoadDriverPrivilege	3932	wmic.exe
Token: SeSystemProfilePrivilege	3932	wmic.exe
Token: SeSystemtimePrivilege	3932	wmic.exe
Token: SeProfSingleProcessPrivilege	3932	wmic.exe
Token: SeIncBasePriorityPrivilege	3932	wmic.exe
Token: SeCreatePagefilePrivilege	3932	wmic.exe
Token: SeBackupPrivilege	3932	wmic.exe
Token: SeRestorePrivilege	3932	wmic.exe
Token: SeShutdownPrivilege	3932	wmic.exe
Token: SeDebugPrivilege	3932	wmic.exe
Token: SeSystemEnvironmentPrivilege	3932	wmic.exe
Token: SeRemoteShutdownPrivilege	3932	wmic.exe
Token: SeUndockPrivilege	3932	wmic.exe
Token: SeManageVolumePrivilege	3932	wmic.exe
Token: 33	3932	wmic.exe
Token: 34	3932	wmic.exe
Token: 35	3932	wmic.exe
Token: 36	3932	wmic.exe
Token: SeIncreaseQuotaPrivilege	2532	wmic.exe
Token: SeSecurityPrivilege	2532	wmic.exe
Token: SeTakeOwnershipPrivilege	2532	wmic.exe
Token: SeLoadDriverPrivilege	2532	wmic.exe
Token: SeSystemProfilePrivilege	2532	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3224	2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	72
PID 2272 wrote to memory of 3224	2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	72
PID 2272 wrote to memory of 3224	2272	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	72
PID 3224 wrote to memory of 3728	3224	axplong.exe	73
PID 3224 wrote to memory of 3728	3224	axplong.exe	73
PID 3224 wrote to memory of 3728	3224	axplong.exe	73
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3728 wrote to memory of 304	3728	gold.exe	74
PID 3224 wrote to memory of 5028	3224	axplong.exe	77
PID 3224 wrote to memory of 5028	3224	axplong.exe	77
PID 3224 wrote to memory of 5028	3224	axplong.exe	77
PID 5028 wrote to memory of 1584	5028	legas.exe	78
PID 5028 wrote to memory of 1584	5028	legas.exe	78
PID 5028 wrote to memory of 1584	5028	legas.exe	78
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 5028 wrote to memory of 4452	5028	legas.exe	79
PID 4452 wrote to memory of 3616	4452	MSBuild.exe	81
PID 4452 wrote to memory of 3616	4452	MSBuild.exe	81
PID 4452 wrote to memory of 5012	4452	MSBuild.exe	82
PID 4452 wrote to memory of 5012	4452	MSBuild.exe	82
PID 3224 wrote to memory of 4188	3224	axplong.exe	83
PID 3224 wrote to memory of 4188	3224	axplong.exe	83
PID 3224 wrote to memory of 4188	3224	axplong.exe	83
PID 3224 wrote to memory of 1520	3224	axplong.exe	84
PID 3224 wrote to memory of 1520	3224	axplong.exe	84
PID 3224 wrote to memory of 1520	3224	axplong.exe	84
PID 3224 wrote to memory of 4012	3224	axplong.exe	87
PID 3224 wrote to memory of 4012	3224	axplong.exe	87
PID 3224 wrote to memory of 4012	3224	axplong.exe	87
PID 3224 wrote to memory of 1204	3224	axplong.exe	89
PID 3224 wrote to memory of 1204	3224	axplong.exe	89
PID 3224 wrote to memory of 1204	3224	axplong.exe	89
PID 1204 wrote to memory of 2496	1204	df19b30cf0.exe	90
PID 1204 wrote to memory of 2496	1204	df19b30cf0.exe	90
PID 1204 wrote to memory of 2496	1204	df19b30cf0.exe	90
PID 3224 wrote to memory of 2900	3224	axplong.exe	91
PID 3224 wrote to memory of 2900	3224	axplong.exe	91
PID 3224 wrote to memory of 2900	3224	axplong.exe	91
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 2900 wrote to memory of 556	2900	MK.exe	93
PID 3224 wrote to memory of 4340	3224	axplong.exe	94
PID 3224 wrote to memory of 4340	3224	axplong.exe	94
PID 3224 wrote to memory of 4340	3224	axplong.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	out.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	out.exe

C:\Users\Admin\AppData\Local\Temp\bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
"C:\Users\Admin\AppData\Local\Temp\bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 284
      4⤵
      Program crash
      PID:2616
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Users\Admin\AppData\Roaming\yiliXDtCuE.exe
        
        "C:\Users\Admin\AppData\Roaming\yiliXDtCuE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\Users\Admin\AppData\Roaming\ANJKcmcBHG.exe
        
        "C:\Users\Admin\AppData\Roaming\ANJKcmcBHG.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 252
      4⤵
      Program crash
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\1000354001\03110add73.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\03110add73.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\1000355001\df19b30cf0.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\df19b30cf0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2496
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5092
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5860
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2124
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2444
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:628
- - C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe
    "C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3292
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic nic where NetEnabled='true' get MACAddress,Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3932
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      4⤵
      PID:4436
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic logicaldisk get size
      4⤵
      Collects information from the system
      PID:2660
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path Win32_VideoController get Caption
      4⤵
      PID:2224
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path Win32_Processor get Name
      4⤵
      PID:1980
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path Win32_ComputerSystem get TotalPhysicalMemory
      4⤵
      PID:4396
  - - C:\Windows\system32\cmd.exe
      cmd /C start /min wscript C:\Users\Public\Scripts\c1DrceUPMXsvORG.vbs
      4⤵
      PID:5836
    - - C:\Windows\system32\wscript.exe
        
        wscript C:\Users\Public\Scripts\c1DrceUPMXsvORG.vbs
        5⤵
        
        PID:5972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Public\Scripts\rsDPKksCK7ic6VY.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5164
- - C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe
    "C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA0ADIANAAwADAAMQBcAGEAcABwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAANAAyADQAMAAwADEAXABhAHAAcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABzAHEAZABxAHMAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHMAcQBkAHEAcwBkAC4AZQB4AGUA
      4⤵
      System Location Discovery: System Language Discovery
      PID:6084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      PID:5076

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:684

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5008

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5520

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2184

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3204

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6024

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5796

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5616

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5512

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5964

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5732

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a9a672f4178fa522ba0cd5b027d0ccf4

SHA1
8b03672a1aca271ef037b60d3f6a3f3bd23e32ea

SHA256
66cac617e0bda56277b5442f21e3aefab6ae2f16ce5c0cd636791ac602460966

SHA512
4aba8d5c7f9c75d21ebed8088ebc091d7e6ec52ebc6843a15914d041a65fb259cf5fab7752300ca3fe323ed4e90021550fefa77b8a09147df56ce5e1aa987754

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
566KB

MD5
049b6fe48a8cfb927648ad626aba5551

SHA1
9555d23104167e4fad5a178b4352831ce620b374

SHA256
b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531

SHA512
ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\fikbbm0902845.exe

Filesize
18B

MD5
174ef859dfe296a48628dc40ef8e05ed

SHA1
59a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7

SHA256
84520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c

SHA512
c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe

Filesize
7.4MB

MD5
735bb5f55a17215700840c04a8b40a03

SHA1
55e0828c6d08653939eee2b1af8fd737e92266c4

SHA256
5ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d

SHA512
7e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\red.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\03110add73.exe

Filesize
1.8MB

MD5
caf461eb8ed93f9c6693644c9a00bf91

SHA1
bde1937a55f1aba923ef6710d56585192aa29f66

SHA256
bd7cb47cbacea170edf4777a5d5d592493f8bdeb475b25cde03208bd49eae092

SHA512
ddb8711e95899cb09798f0add44805ed5aa90c1ca80e94fa73fa42568c07c9aa93dca21ff0db314fead43d84ec87583d9b8c6e7d1799daa8e3a58befdf678642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\df19b30cf0.exe

Filesize
1.8MB

MD5
f69f1b099abe6b8ec4d6319db86fd01d

SHA1
374021521d524c3c4e8e54937eb21b1982511277

SHA256
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

SHA512
edc4b8d8171de84234379bb1a4658aef0c1197b584f5b035779fae7689695edf05675b3578342c893383e3b18a5bdd35cd598da3e2847873c29946414695ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe

Filesize
6.3MB

MD5
65eeea19b373583f916bf3070acbfd58

SHA1
78ce3479d5d0148ba855d89ecb48a3f0c12d9957

SHA256
c671e33f6757cef930713d2e4efeb8642177675e95fc05de92e124213022a00b

SHA512
f726327e977a85dcc3b0c217a8dacc9cd375bbe3f238558c9b9adf35233c0b4959e6014ff46bf742a7a822e4fe757d4f3bcc1e63709c6ec4c84c29c1f47483c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe

Filesize
5.5MB

MD5
f2930c61288bc55dfdf9c8b42e321006

SHA1
5ce19a53d5b4deb406943e05ec93bc3979824866

SHA256
d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603

SHA512
67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe

Filesize
20.4MB

MD5
7172ee8de6490094d4a5112eceaaaa90

SHA1
46a82d7628f31d91fb883056dfbd4d15d26bbd77

SHA256
11cabbb368deb30bc1f45feb6509b222c2b360707ff31c8b1e056c617477f28e

SHA512
91e2da0921f8d2596ac2e99e91b108e4d7dba6a97800c775bc9d9b4411fae3b7f0d811f48b107054664aff69c7cdd2c052220960cec9c525470f7266de5780d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
338fd6192a1bfaadbf72002bc5f8323e

SHA1
b465094f062d170487b50ae46b28325d4b156d58

SHA256
bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c

SHA512
bb0c58e71eccd9edf0acfb04cc23d4fc8d6250938a4ee0a42698ab53f07ebc66c1776b0e3d668e9aad0aab2c1e0e37261508013996b9ac0dea1fe77da992a167

Download Submit
C:\Users\Admin\AppData\Local\Temp\968772205171

Filesize
65KB

MD5
b19c2da39e26ecf5e6a2c897ddca66f0

SHA1
3c8a40b5642ccd1032aa52942f20a607ae937270

SHA256
2ac73a6d613740804175143cc9f1518f772ce143e3451f76a1fad83745c12df8

SHA512
0396a3d3ad80fc83e9984c80e735ce155a492e3896f8b2d21f092c6641ca1c240492360b5ae7d0f6beddad502a626eb0e25e9befa5c0db9d791bcbe6abdf7518

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp82DC.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzmf3zn4.hfs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\ANJKcmcBHG.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3968772205-1713802336-1776639840-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f4fe33a0-f73d-4d5c-8730-deeef20ef238

Filesize
2KB

MD5
8bf3a816c5494bacd0c16465492bce69

SHA1
c67e21817ddab66c4cca3ccd43293ea0c3dada3f

SHA256
cd026baf4fa588afe0ce0cc9f6ec422de676f456a4fe4876f3b42ab034b53e17

SHA512
82aba1e54749a65f639e7071b4356569dd48c30ae206f2210f7d0d0b2e4501161ce34914e9793b5eef5f26a5660dc782adf945e0f190461c74e16b3e5e25000b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url

Filesize
70B

MD5
1c5c0d2105718982915d88e1e34b7c24

SHA1
ecb11df5274a3a37c81fc19b95ec316d39bb6f03

SHA256
b5fd05a1a23d90dee32a1f61158a1e0859fde6882b289267c90845bb995b0c09

SHA512
9e1f86ca561c034078acbce22e6b3b2dc938a883f4897167c96ad7c61f28d30075d66557335825c18a00f96467fbd1dee067bb756388ba60b21443ba964ba331

Download Submit
C:\Users\Admin\AppData\Roaming\yiliXDtCuE.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
5a9ee0498768cfcc5c61516fc5d780cd

SHA1
9ca59745b147d36da00237f6fed755738f5c759b

SHA256
bde6e40a986984ed4dbfa69316c684b3ea2d5682ef6a66f34e9c0e0bfddfe3e5

SHA512
275ee6966195d4ac0371a63de36e460936a706a1bbe80b815b6516eaa175227513a6158be0b72accddb3d1f303439d591e34776c3eda9b658d7e5fcbb5a9c6ed

Download Submit
C:\Users\Public\Scripts\c1DrceUPMXsvORG.vbs

Filesize
162B

MD5
f63b47eb83dfee24b533066feb3de5ad

SHA1
6e4f05165b6f3b71d2f52175f980c75fffa14f09

SHA256
d54729aca91fc5cc28a78eb7499cdbbd5d51d605ed68c1ff51dd93976cb8091f

SHA512
8fb5e87321e38db2276daec28d3711d4ca80899ce2313cf99df642458d06cf62903c56d437285f0081fb155f24e2b03e1a34e3e71263dfbc1ade0a3d95c43ef9

Download Submit
C:\Users\Public\Scripts\rsDPKksCK7ic6VY.ps1

Filesize
24KB

MD5
2f2ae1c3b6760d72f2942bd33ea504f6

SHA1
6da5194e80bea94ff5802279e0286568b0976674

SHA256
0c7fe362cb65fabde7a85a5bd6a501697635461adde3919bc8816a140b5c8885

SHA512
55266bb815f80a07cfb6cacf361c20ea11263eaca2a8e02f0869e797ca004fa18268dc1e4414bca94ec48fbe5ec79b7b9abff1862c259d57610fceb45a1584e3

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/304-33-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/304-32-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/556-216-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/556-328-0x000000000A430000-0x000000000A480000-memory.dmp

Filesize
320KB

Download
memory/556-319-0x0000000006DE0000-0x0000000006E46000-memory.dmp

Filesize
408KB

Download
memory/556-326-0x000000000A4C0000-0x000000000A682000-memory.dmp

Filesize
1.8MB

Download
memory/556-327-0x000000000ABC0000-0x000000000B0EC000-memory.dmp

Filesize
5.2MB

Download
memory/684-1991-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/684-1988-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/812-449-0x0000000007680000-0x00000000077A5000-memory.dmp

Filesize
1.1MB

Download
memory/812-1525-0x0000000007AA0000-0x0000000007B46000-memory.dmp

Filesize
664KB

Download
memory/812-1797-0x0000000003DA0000-0x0000000003DF4000-memory.dmp

Filesize
336KB

Download
memory/812-450-0x0000000007680000-0x00000000077A5000-memory.dmp

Filesize
1.1MB

Download
memory/812-452-0x0000000007680000-0x00000000077A5000-memory.dmp

Filesize
1.1MB

Download
memory/812-448-0x0000000007680000-0x00000000077AC000-memory.dmp

Filesize
1.2MB

Download
memory/812-1526-0x0000000007010000-0x000000000705C000-memory.dmp

Filesize
304KB

Download
memory/812-429-0x0000000000890000-0x0000000001CF6000-memory.dmp

Filesize
20.4MB

Download
memory/1204-197-0x00000000013C0000-0x0000000001882000-memory.dmp

Filesize
4.8MB

Download
memory/1204-184-0x00000000013C0000-0x0000000001882000-memory.dmp

Filesize
4.8MB

Download
memory/1520-126-0x0000000006310000-0x000000000635B000-memory.dmp

Filesize
300KB

Download
memory/1520-122-0x0000000006690000-0x0000000006C96000-memory.dmp

Filesize
6.0MB

Download
memory/1520-95-0x0000000000120000-0x0000000000172000-memory.dmp

Filesize
328KB

Download
memory/1520-97-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/1520-125-0x0000000006190000-0x00000000061CE000-memory.dmp

Filesize
248KB

Download
memory/1520-123-0x0000000006200000-0x000000000630A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-98-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/1520-124-0x0000000006130000-0x0000000006142000-memory.dmp

Filesize
72KB

Download
memory/1520-116-0x00000000056A0000-0x0000000005716000-memory.dmp

Filesize
472KB

Download
memory/1520-96-0x0000000004FA0000-0x000000000549E000-memory.dmp

Filesize
5.0MB

Download
memory/1520-119-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/2184-2031-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/2184-2035-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/2272-0-0x00000000012D0000-0x000000000176E000-memory.dmp

Filesize
4.6MB

Download
memory/2272-1-0x0000000077514000-0x0000000077515000-memory.dmp

Filesize
4KB

Download
memory/2272-2-0x00000000012D1000-0x00000000012FF000-memory.dmp

Filesize
184KB

Download
memory/2272-3-0x00000000012D0000-0x000000000176E000-memory.dmp

Filesize
4.6MB

Download
memory/2272-5-0x00000000012D0000-0x000000000176E000-memory.dmp

Filesize
4.6MB

Download
memory/2272-14-0x00000000012D0000-0x000000000176E000-memory.dmp

Filesize
4.6MB

Download
memory/2496-198-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/2496-397-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/2496-413-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/2496-430-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/2496-325-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/2900-214-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/3204-2036-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/3204-2030-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/3216-270-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/3224-121-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-18-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-145-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-322-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-15-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-16-0x00000000008B1000-0x00000000008DF000-memory.dmp

Filesize
184KB

Download
memory/3224-17-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-62-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-416-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-19-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-371-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-129-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3224-411-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/3292-412-0x0000019D487B0000-0x0000019D48B68000-memory.dmp

Filesize
3.7MB

Download
memory/3616-61-0x0000000000C50000-0x0000000000CEC000-memory.dmp

Filesize
624KB

Download
memory/3616-130-0x000000001E3C0000-0x000000001E436000-memory.dmp

Filesize
472KB

Download
memory/3616-131-0x000000001BCD0000-0x000000001BCEE000-memory.dmp

Filesize
120KB

Download
memory/4012-324-0x0000000000A00000-0x000000000109C000-memory.dmp

Filesize
6.6MB

Download
memory/4012-305-0x0000000000A00000-0x000000000109C000-memory.dmp

Filesize
6.6MB

Download
memory/4012-311-0x0000000000A00000-0x000000000109C000-memory.dmp

Filesize
6.6MB

Download
memory/4012-144-0x0000000000A00000-0x000000000109C000-memory.dmp

Filesize
6.6MB

Download
memory/4032-433-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4032-446-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4032-432-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4188-75-0x0000000000220000-0x0000000000463000-memory.dmp

Filesize
2.3MB

Download
memory/4188-147-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4188-323-0x0000000000220000-0x0000000000463000-memory.dmp

Filesize
2.3MB

Download
memory/4216-399-0x0000000000400000-0x0000000001067000-memory.dmp

Filesize
12.4MB

Download
memory/4444-287-0x00000000003B0000-0x00000000004C8000-memory.dmp

Filesize
1.1MB

Download
memory/4444-291-0x000000000ADF0000-0x000000000AE74000-memory.dmp

Filesize
528KB

Download
memory/4452-47-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4452-57-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4452-46-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4452-48-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4476-349-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/4476-345-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/4668-409-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4668-401-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4668-400-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4668-402-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4744-362-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download
memory/4744-408-0x0000000000A00000-0x0000000001177000-memory.dmp

Filesize
7.5MB

Download
memory/4804-348-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/4804-344-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/5008-1993-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/5008-1989-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/5012-60-0x0000000000650000-0x00000000006B8000-memory.dmp

Filesize
416KB

Download
memory/5012-118-0x000000001B700000-0x000000001B73E000-memory.dmp

Filesize
248KB

Download
memory/5012-117-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/5012-115-0x000000001D840000-0x000000001D94A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-1807-0x0000000008DB0000-0x0000000008E6C000-memory.dmp

Filesize
752KB

Download
memory/5076-1806-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5076-1966-0x000000000A4E0000-0x000000000A5CA000-memory.dmp

Filesize
936KB

Download
memory/5076-1977-0x000000000A9C0000-0x000000000AAAA000-memory.dmp

Filesize
936KB

Download
memory/5076-1979-0x000000000AE30000-0x000000000AF1C000-memory.dmp

Filesize
944KB

Download
memory/5164-1822-0x0000021F5A3E0000-0x0000021F5A402000-memory.dmp

Filesize
136KB

Download
memory/5512-2067-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/5512-2072-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/5732-2107-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/5732-2104-0x00000000008B0000-0x0000000000D4E000-memory.dmp

Filesize
4.6MB

Download
memory/5796-2069-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/5964-2109-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/5964-2103-0x0000000000AA0000-0x0000000000F62000-memory.dmp

Filesize
4.8MB

Download
memory/6084-1537-0x0000000007730000-0x0000000007A80000-memory.dmp

Filesize
3.3MB

Download
memory/6084-1534-0x0000000006E40000-0x0000000007468000-memory.dmp

Filesize
6.2MB

Download
memory/6084-1533-0x0000000004280000-0x00000000042B6000-memory.dmp

Filesize
216KB

Download
memory/6084-1757-0x0000000009110000-0x000000000912A000-memory.dmp

Filesize
104KB

Download
memory/6084-1563-0x0000000009170000-0x0000000009204000-memory.dmp

Filesize
592KB

Download
memory/6084-1555-0x0000000008C50000-0x0000000008C83000-memory.dmp

Filesize
204KB

Download
memory/6084-1535-0x0000000006C30000-0x0000000006C52000-memory.dmp

Filesize
136KB

Download
memory/6084-1762-0x0000000009100000-0x0000000009108000-memory.dmp

Filesize
32KB

Download
memory/6084-1536-0x0000000007650000-0x00000000076B6000-memory.dmp

Filesize
408KB

Download
memory/6084-1538-0x0000000006E20000-0x0000000006E3C000-memory.dmp

Filesize
112KB

Download
memory/6084-1557-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/6084-1562-0x0000000008F90000-0x0000000009035000-memory.dmp

Filesize
660KB

Download
memory/6084-1556-0x0000000072A60000-0x0000000072AAB000-memory.dmp

Filesize
300KB

Download