amadey | c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54

Analysis

max time kernel
113s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Size

1.9MB
MD5

66ed66dcc805b24b838f870ca59fdad0
SHA1

c2c542011ee48bf78fd3fb6cb18936bb2d33e1ba
SHA256

c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54
SHA512

86f3de4683af15c23d4aab426ef26f338d587ae4c9efd4ce126fccf35466b3bb3b946035a68c81e4a44a819dd59ef014c2568818320940ce160d67a25012b4b8
SSDEEP

49152:+o9WZ9aelvwdMtecFU3u/HVAiFdLwPrJ5/D3wlUgGkWGG1:l9WZXws1a3UHeiyrjD3wlUgrU

Score

10^/10

amadey cryptbot lumma redline stealc 1176f2 9c9aa5 default_valenciga doma fed3aa tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/736-450-0x0000000069CC0000-0x000000006A37B000-memory.dmp	family_cryptbot_v3

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/324-223-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1db860f858.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e10e986df8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1db860f858.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e10e986df8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1db860f858.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e10e986df8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	L2G.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e10e986df8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	processclass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JavUmar1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	context.exe

Executes dropped EXE 26 IoCs

pid	Process
1668	axplong.exe
4464	gold.exe
404	L2G.exe
944	L2G.exe
3264	stealc_default2.exe
2680	Czb7yhyLYw.exe
3564	x65zqUJVBJ.exe
4120	1db860f858.exe
4920	e10e986df8.exe
1880	skotes.exe
3212	MK.exe
1620	Nework.exe
2532	Hkbsse.exe
2336	processclass.exe
4676	splwow64.exe
3836	2927.exe
1784	2927.tmp
4716	context.exe
684	Hkbsse.exe
2140	axplong.exe
1156	skotes.exe
736	JavUmar1.exe
2196	Hkbsse.exe
2012	skotes.exe
2612	axplong.exe
1932	service123.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	1db860f858.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	e10e986df8.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe

Loads dropped DLL 4 IoCs

pid	Process
3264	stealc_default2.exe
3264	stealc_default2.exe
1784	2927.tmp
1932	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1db860f858.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\1db860f858.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e10e986df8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\e10e986df8.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
1668	axplong.exe
4120	1db860f858.exe
4920	e10e986df8.exe
1880	skotes.exe
2140	axplong.exe
1156	skotes.exe
2012	skotes.exe
2612	axplong.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 404 set thread context of 944	404	L2G.exe	97
PID 3212 set thread context of 324	3212	MK.exe	124
PID 4676 set thread context of 4584	4676	splwow64.exe	144
PID 4716 set thread context of 3512	4716	context.exe	153

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
File created	C:\Windows\Tasks\skotes.job	e10e986df8.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4416	404	WerFault.exe	96
2832	4464	WerFault.exe	91
2852	4464	WerFault.exe	91
1332	4464	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2927.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e10e986df8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1db860f858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L2G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L2G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2927.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavUmar1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JavUmar1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JavUmar1.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4992	timeout.exe
1820	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1980	taskkill.exe
4932	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
1668	axplong.exe
1668	axplong.exe
3264	stealc_default2.exe
3264	stealc_default2.exe
4120	1db860f858.exe
4120	1db860f858.exe
4920	e10e986df8.exe
4920	e10e986df8.exe
1880	skotes.exe
1880	skotes.exe
2680	Czb7yhyLYw.exe
2680	Czb7yhyLYw.exe
3564	x65zqUJVBJ.exe
3564	x65zqUJVBJ.exe
324	RegAsm.exe
324	RegAsm.exe
3264	stealc_default2.exe
3264	stealc_default2.exe
324	RegAsm.exe
324	RegAsm.exe
2140	axplong.exe
2140	axplong.exe
1156	skotes.exe
1156	skotes.exe
2012	skotes.exe
2012	skotes.exe
2612	axplong.exe
2612	axplong.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	2680	Czb7yhyLYw.exe
Token: SeBackupPrivilege	3564	x65zqUJVBJ.exe
Token: SeSecurityPrivilege	3564	x65zqUJVBJ.exe
Token: SeSecurityPrivilege	2680	Czb7yhyLYw.exe
Token: SeSecurityPrivilege	3564	x65zqUJVBJ.exe
Token: SeSecurityPrivilege	3564	x65zqUJVBJ.exe
Token: SeSecurityPrivilege	3564	x65zqUJVBJ.exe
Token: SeSecurityPrivilege	2680	Czb7yhyLYw.exe
Token: SeSecurityPrivilege	2680	Czb7yhyLYw.exe
Token: SeSecurityPrivilege	2680	Czb7yhyLYw.exe
Token: SeDebugPrivilege	3564	x65zqUJVBJ.exe
Token: SeDebugPrivilege	2680	Czb7yhyLYw.exe
Token: SeDebugPrivilege	324	RegAsm.exe
Token: SeDebugPrivilege	2336	processclass.exe
Token: SeDebugPrivilege	4676	splwow64.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	4716	context.exe
Token: SeDebugPrivilege	4932	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1668	3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe	87
PID 3720 wrote to memory of 1668	3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe	87
PID 3720 wrote to memory of 1668	3720	c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe	87
PID 1668 wrote to memory of 4464	1668	axplong.exe	91
PID 1668 wrote to memory of 4464	1668	axplong.exe	91
PID 1668 wrote to memory of 4464	1668	axplong.exe	91
PID 1668 wrote to memory of 404	1668	axplong.exe	96
PID 1668 wrote to memory of 404	1668	axplong.exe	96
PID 1668 wrote to memory of 404	1668	axplong.exe	96
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 404 wrote to memory of 944	404	L2G.exe	97
PID 1668 wrote to memory of 3264	1668	axplong.exe	102
PID 1668 wrote to memory of 3264	1668	axplong.exe	102
PID 1668 wrote to memory of 3264	1668	axplong.exe	102
PID 944 wrote to memory of 2680	944	L2G.exe	103
PID 944 wrote to memory of 2680	944	L2G.exe	103
PID 944 wrote to memory of 3564	944	L2G.exe	104
PID 944 wrote to memory of 3564	944	L2G.exe	104
PID 1668 wrote to memory of 4120	1668	axplong.exe	111
PID 1668 wrote to memory of 4120	1668	axplong.exe	111
PID 1668 wrote to memory of 4120	1668	axplong.exe	111
PID 1668 wrote to memory of 4920	1668	axplong.exe	115
PID 1668 wrote to memory of 4920	1668	axplong.exe	115
PID 1668 wrote to memory of 4920	1668	axplong.exe	115
PID 4920 wrote to memory of 1880	4920	e10e986df8.exe	118
PID 4920 wrote to memory of 1880	4920	e10e986df8.exe	118
PID 4920 wrote to memory of 1880	4920	e10e986df8.exe	118
PID 1668 wrote to memory of 3212	1668	axplong.exe	122
PID 1668 wrote to memory of 3212	1668	axplong.exe	122
PID 1668 wrote to memory of 3212	1668	axplong.exe	122
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 3212 wrote to memory of 324	3212	MK.exe	124
PID 1668 wrote to memory of 1620	1668	axplong.exe	125
PID 1668 wrote to memory of 1620	1668	axplong.exe	125
PID 1668 wrote to memory of 1620	1668	axplong.exe	125
PID 1620 wrote to memory of 2532	1620	Nework.exe	126
PID 1620 wrote to memory of 2532	1620	Nework.exe	126
PID 1620 wrote to memory of 2532	1620	Nework.exe	126
PID 1668 wrote to memory of 2336	1668	axplong.exe	129
PID 1668 wrote to memory of 2336	1668	axplong.exe	129
PID 1668 wrote to memory of 4676	1668	axplong.exe	130
PID 1668 wrote to memory of 4676	1668	axplong.exe	130
PID 1668 wrote to memory of 4676	1668	axplong.exe	130
PID 2532 wrote to memory of 3836	2532	Hkbsse.exe	136
PID 2532 wrote to memory of 3836	2532	Hkbsse.exe	136
PID 2532 wrote to memory of 3836	2532	Hkbsse.exe	136
PID 3836 wrote to memory of 1784	3836	2927.exe	137
PID 3836 wrote to memory of 1784	3836	2927.exe	137
PID 3836 wrote to memory of 1784	3836	2927.exe	137
PID 1784 wrote to memory of 1596	1784	2927.tmp	139

C:\Users\Admin\AppData\Local\Temp\c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe
"C:\Users\Admin\AppData\Local\Temp\c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1180
      4⤵
      Program crash
      PID:2832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1192
      4⤵
      Program crash
      PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1236
      4⤵
      Program crash
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\1000004001\L2G.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\L2G.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\L2G.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\L2G.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Users\Admin\AppData\Roaming\Czb7yhyLYw.exe
        
        "C:\Users\Admin\AppData\Roaming\Czb7yhyLYw.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Users\Admin\AppData\Roaming\x65zqUJVBJ.exe
        
        "C:\Users\Admin\AppData\Roaming\x65zqUJVBJ.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 240
      4⤵
      Program crash
      PID:4416
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\1000354001\1db860f858.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\1db860f858.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\1000355001\e10e986df8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\e10e986df8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1880
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:324
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\is-C02FV.tmp\2927.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C02FV.tmp\2927.tmp" /SL5="$C0030,922170,832512,C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-RETCK.tmp\my.bat""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\1000094001\JavUmar1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000094001\JavUmar1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:736
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1932
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4260
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:324
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1820
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4464 -ip 4464
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4464 -ip 4464
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4464 -ip 4464
1⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1156

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
d3db2936f671814d040e9d88a28ad094

SHA1
5a7e0c06ed81ea397058cb376393e5213eeee7cd

SHA256
d133a08c3d105b7cb8362d1d0a1dc7d8c6aea90684cd997d3c8856a019877c5a

SHA512
d689d1c1fe858a78e38b5b06c75b1dd2170cd6eac52305cee6f3e46149753608ffab44a425f62dde0c29731db4367cfb23ef2c96cebb406535c75121cfd2c4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
2.5MB

MD5
eab5dd4b0d7f9e18d26862b312600f93

SHA1
9278a96cff76785646971f8252d70ab14328ee24

SHA256
631d8bebaa32e939ece2d304bf739987941cbb4a0e4a1326074e355e508e0c0c

SHA512
9efcbdc853b81b0a378e8ea8cf5779edf614b8534970927a68b91be1d6958ea11a63ddd47f132fc6956b53bbe53bda2d0cc143f7b6298f162f8a82e64b75248e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\L2G.exe

Filesize
1.2MB

MD5
fdcc2baa8fa2bde596233495b2732870

SHA1
bfa3f40faa71ac5bb377f4d867f833d10ef34f05

SHA256
b31098cf6d7db5186c813df14bdc1b0bda234103643bd5d2619ddd82752f1e5b

SHA512
88b5de68b36b6e1e419bdb1d5d55306b1bf497a38c9d90d3c18219603107384afd7ef14c9a25a1998db44ca5953b0c8afdc6c800f3c20f4e3013b892d9dff2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe

Filesize
1.7MB

MD5
f734d3c885625d361b085cfc8af1fc25

SHA1
63ebbfac1ae03d7db04bf55523f07f3f4aa2b534

SHA256
1fc070d52f6c24eb6e83d5e9474d63868d47509a8aea3687782ebf61ebe97cfd

SHA512
e798e083f0f7c8d51988d105cdd1ca388befbd68f9045c980b689eb183ce99e512821f9dbc48cdfc9db03f507e61c26113279f7e3a5c150eee1dad09756e7024

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\JavUmar1.exe

Filesize
6.3MB

MD5
bfe2f72aaf59ad12fe5479d4936d9d52

SHA1
1eb38144e825af65babd0f1e5651f74123413c93

SHA256
8ad7c506b6c146384ab9b6effd12c9bd586518100e35c4fcb4744b40d10bf25a

SHA512
e1e070feec3cc1ef4506976d6c839564f9a2487fbdfeb77c29027c3c0634f8990f3e48aba0560030e8f823ee48ca2055f16256d1d87e68b565dd8bbfcc4bdba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\1db860f858.exe

Filesize
1.8MB

MD5
cb8c50fb3cbfef8419c3990024d0d272

SHA1
d8dfead2abe73665a26ebf8e4f6089e2c91ee1bf

SHA256
b119c34ac3b9423df0c4ff87a311580fd816715a86fd5b237c48cd53bf05dc8a

SHA512
27c3c1488ccfbeded1fd6cdba2bfa63fa6474e271d04c3981cb06466236c665eb6510860c3612d23a9afde4d99b00c5c090a16a35a5506bb0ab8032f42202434

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\e10e986df8.exe

Filesize
1.8MB

MD5
0fc27c0002fbc0bd2b12a9d1f2ea1e62

SHA1
62825572806c3fe7e9bae07d11c1715515f3bfa2

SHA256
0bc7213acebaca1189d247b25ff0e7a8df49238316a6820665e52e1c69a57fba

SHA512
cb4e08e0937ac44e1da6c81aacd9744af94f41499698d531e7c98e279eef991aa38087f526a5225e91e52bd733b4ac0634198141e52cef994723d55008564f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.9MB

MD5
66ed66dcc805b24b838f870ca59fdad0

SHA1
c2c542011ee48bf78fd3fb6cb18936bb2d33e1ba

SHA256
c76c145d2353add63c1613c52cc9d4c2d908d383f1d649e7a3b6f7ef2df07d54

SHA512
86f3de4683af15c23d4aab426ef26f338d587ae4c9efd4ce126fccf35466b3bb3b946035a68c81e4a44a819dd59ef014c2568818320940ce160d67a25012b4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\932230532004

Filesize
83KB

MD5
5109d6f57d3dd4fe47ab26dcf23ec8ab

SHA1
5f7211ac5a3b48bc09652a03ca1e22129aade44e

SHA256
b6d1a30cad9145bed9ff85abb643ebeaab4289d43a5704feba5d2e18f03d4201

SHA512
de9b50736fa1839f39defd8efcf73b70f127e332059c3eb558a958ff5257ca23d341116177344d38c19d2d72e538ff5c1019f12f51d6384006779a893a45b967

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpEA21.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C02FV.tmp\2927.tmp

Filesize
3.1MB

MD5
bba584f217419c351e6ae092c664271d

SHA1
972ba560cdff81c57ce852687e9b3e85542d2c61

SHA256
b6e4f561c0b627441f052fc40bf2dcab04c4320da15205f24e64b40d55fa4151

SHA512
04fd9a7fa34fc8056d3ac8006cdccbd98c42389424c5301981d3223645eb9792ac23d8202fc9948e97bd02832d0635607586783ccd53e2643ad43175acccf6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RETCK.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Roaming\Czb7yhyLYw.exe

Filesize
469KB

MD5
3eba6a9c3a91b6cab9e2cba1620bfc3e

SHA1
52d195538a8162143cefd745bf9eee7df1f84e9d

SHA256
664d5913432f1b76c33b37599b46cc5f6324283428dba6b45801de37ee2f8d81

SHA512
eb9224e84993a19cddc9eaf75bf422f43fa61e73ab59be0b1b20110eeea6ee75e06f863ad327c9c2314e164f00e2b8813d6498bd442203fb457e0e9c34724fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url

Filesize
70B

MD5
1c5c0d2105718982915d88e1e34b7c24

SHA1
ecb11df5274a3a37c81fc19b95ec316d39bb6f03

SHA256
b5fd05a1a23d90dee32a1f61158a1e0859fde6882b289267c90845bb995b0c09

SHA512
9e1f86ca561c034078acbce22e6b3b2dc938a883f4897167c96ad7c61f28d30075d66557335825c18a00f96467fbd1dee067bb756388ba60b21443ba964ba331

Download Submit
C:\Users\Admin\AppData\Roaming\x65zqUJVBJ.exe

Filesize
315KB

MD5
59c9d5bc2cfca695e10f12c6f5f5be3c

SHA1
64f8568e8beeef61e3c3918b2f6c38c8af42c46e

SHA256
cac6b02d8f2ae8f58e7e02ab86fc82149bf466a5857d92e3457aabfca468cf47

SHA512
220b2013d60713e5041ce6422f68aa7753042e1c9ffe8f6644515590d605b6f1701eaf4ecda1f03357a52d04956933261ba02f7948bb652438598211d72b0874

Download Submit
memory/324-243-0x0000000006050000-0x00000000060C6000-memory.dmp

Filesize
472KB

Download
memory/324-267-0x0000000007050000-0x000000000709C000-memory.dmp

Filesize
304KB

Download
memory/324-223-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/324-225-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/324-226-0x0000000005360000-0x000000000536A000-memory.dmp

Filesize
40KB

Download
memory/324-357-0x000000000A6E0000-0x000000000AC0C000-memory.dmp

Filesize
5.2MB

Download
memory/324-356-0x00000000098D0000-0x0000000009A92000-memory.dmp

Filesize
1.8MB

Download
memory/324-331-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

Filesize
320KB

Download
memory/324-328-0x0000000006BE0000-0x0000000006C46000-memory.dmp

Filesize
408KB

Download
memory/324-244-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/324-255-0x00000000070D0000-0x00000000076E8000-memory.dmp

Filesize
6.1MB

Download
memory/324-256-0x0000000008950000-0x0000000008A5A000-memory.dmp

Filesize
1.0MB

Download
memory/324-258-0x0000000007010000-0x000000000704C000-memory.dmp

Filesize
240KB

Download
memory/324-257-0x0000000006FB0000-0x0000000006FC2000-memory.dmp

Filesize
72KB

Download
memory/736-471-0x0000000000C60000-0x00000000012BA000-memory.dmp

Filesize
6.4MB

Download
memory/736-450-0x0000000069CC0000-0x000000006A37B000-memory.dmp

Filesize
6.7MB

Download
memory/944-59-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/944-57-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/944-97-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/944-60-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1156-422-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1156-430-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1668-18-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-19-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-20-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-126-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-123-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-433-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-110-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-197-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-459-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-21-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-402-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-327-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1668-118-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/1784-399-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1880-403-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1880-460-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1880-172-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1880-353-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1880-434-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/1880-198-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/2012-493-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/2012-501-0x0000000000AC0000-0x0000000000F85000-memory.dmp

Filesize
4.8MB

Download
memory/2140-421-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/2140-423-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/2336-299-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2612-495-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/2612-503-0x0000000000920000-0x0000000000DF3000-memory.dmp

Filesize
4.8MB

Download
memory/2680-122-0x000000001DE60000-0x000000001DE9C000-memory.dmp

Filesize
240KB

Download
memory/2680-192-0x000000001D5A0000-0x000000001D616000-memory.dmp

Filesize
472KB

Download
memory/2680-100-0x0000000000A70000-0x0000000000AEA000-memory.dmp

Filesize
488KB

Download
memory/2680-120-0x000000001DF10000-0x000000001E01A000-memory.dmp

Filesize
1.0MB

Download
memory/2680-121-0x000000001DE40000-0x000000001DE52000-memory.dmp

Filesize
72KB

Download
memory/2680-195-0x000000001F990000-0x000000001FEB8000-memory.dmp

Filesize
5.2MB

Download
memory/2680-194-0x000000001ED30000-0x000000001EEF2000-memory.dmp

Filesize
1.8MB

Download
memory/2680-193-0x000000001B680000-0x000000001B69E000-memory.dmp

Filesize
120KB

Download
memory/3212-217-0x0000000000420000-0x0000000000474000-memory.dmp

Filesize
336KB

Download
memory/3212-218-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/3264-354-0x0000000000C20000-0x0000000000E81000-memory.dmp

Filesize
2.4MB

Download
memory/3264-143-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3264-78-0x0000000000C20000-0x0000000000E81000-memory.dmp

Filesize
2.4MB

Download
memory/3512-462-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3512-470-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3512-463-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3564-101-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/3720-0-0x00000000009F0000-0x0000000000EC3000-memory.dmp

Filesize
4.8MB

Download
memory/3720-5-0x00000000009F0000-0x0000000000EC3000-memory.dmp

Filesize
4.8MB

Download
memory/3720-16-0x00000000009F0000-0x0000000000EC3000-memory.dmp

Filesize
4.8MB

Download
memory/3720-2-0x00000000009F1000-0x0000000000A1F000-memory.dmp

Filesize
184KB

Download
memory/3720-3-0x00000000009F0000-0x0000000000EC3000-memory.dmp

Filesize
4.8MB

Download
memory/3720-1-0x0000000077CD4000-0x0000000077CD6000-memory.dmp

Filesize
8KB

Download
memory/3836-401-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3836-378-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4120-323-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4120-119-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4120-191-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4120-196-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4120-385-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4120-359-0x0000000000A70000-0x000000000110E000-memory.dmp

Filesize
6.6MB

Download
memory/4464-39-0x00000000001B0000-0x000000000058D000-memory.dmp

Filesize
3.9MB

Download
memory/4584-410-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4584-431-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4584-411-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4584-412-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4676-321-0x0000000000590000-0x00000000006A8000-memory.dmp

Filesize
1.1MB

Download
memory/4676-322-0x000000000B140000-0x000000000B1C4000-memory.dmp

Filesize
528KB

Download
memory/4920-171-0x0000000000B50000-0x0000000001015000-memory.dmp

Filesize
4.8MB

Download
memory/4920-141-0x0000000000B50000-0x0000000001015000-memory.dmp

Filesize
4.8MB

Download