amadey | b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Size

2.9MB
MD5

ecc31e1414214a49d2635742dc159e01
SHA1

78f904190673245e387da0b2f7a5e8674e430592
SHA256

b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319
SHA512

cc0f1a850fdaa520aa0145adb3efde042a6a87906d8595f07b31af76fb58179706cd72fdb8a4c870b69b929437954a513ff3b4f95dfd9dcc18767212bbe8c042
SSDEEP

49152:waYqCDL2uaN5vljCH5l6yre62IncPJMap3tCqywtMo+mEa4:woC32uaN5djCHT6yre62niap3tDtM9m+

Score

10^/10

amadey exelastealer gurcu lumma stealc default_valenciga fed3aa collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

lumma

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

gurcu

https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v_dolg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
57	5028	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3312	netsh.exe
1840	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	defnur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sintv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2800	cmd.exe
4580	powershell.exe

Executes dropped EXE 26 IoCs

pid	Process
4792	axplong.exe
2284	stealc_default2.exe
3176	alexshlu.exe
1008	alexshlu.exe
632	AllNew.exe
2532	Gxtuum.exe
3248	am209.exe
4680	defnur.exe
4360	v_dolg.exe
3944	axplong.exe
2180	Gxtuum.exe
2408	defnur.exe
464	roblox.exe
5096	stub.exe
920	goldlummaa.exe
1160	goldlummaa.exe
980	goldlummaa.exe
3484	sintv.exe
1932	Out.exe
4436	Out.exe
4820	axplong.exe
3208	Gxtuum.exe
2148	defnur.exe
3316	axplong.exe
3272	Gxtuum.exe
4444	defnur.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	axplong.exe

Loads dropped DLL 35 IoCs

pid	Process
2284	stealc_default2.exe
2284	stealc_default2.exe
5028	rundll32.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe
5096	stub.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	v_dolg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
548	ARP.EXE
3220	cmd.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2704	tasklist.exe
3916	tasklist.exe
1932	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3896	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
4792	axplong.exe
4360	v_dolg.exe
3944	axplong.exe
4820	axplong.exe
3316	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3176 set thread context of 1008	3176	alexshlu.exe	87
PID 920 set thread context of 980	920	goldlummaa.exe	141

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	sintv.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	sintv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023cce-284.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4112	980	WerFault.exe	141
4024	980	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v_dolg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldlummaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Out.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goldlummaa.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3624	cmd.exe
2540	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3040	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3588	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1652	ipconfig.exe
3040	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4956	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3176	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
4792	axplong.exe
4792	axplong.exe
2284	stealc_default2.exe
2284	stealc_default2.exe
4360	v_dolg.exe
4360	v_dolg.exe
3944	axplong.exe
3944	axplong.exe
2284	stealc_default2.exe
2284	stealc_default2.exe
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe
980	goldlummaa.exe
980	goldlummaa.exe
980	goldlummaa.exe
980	goldlummaa.exe
3484	sintv.exe
3484	sintv.exe
4436	Out.exe
4436	Out.exe
4436	Out.exe
4436	Out.exe
4820	axplong.exe
4820	axplong.exe
3316	axplong.exe
3316	axplong.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4892	WMIC.exe
Token: SeSecurityPrivilege	4892	WMIC.exe
Token: SeTakeOwnershipPrivilege	4892	WMIC.exe
Token: SeLoadDriverPrivilege	4892	WMIC.exe
Token: SeSystemProfilePrivilege	4892	WMIC.exe
Token: SeSystemtimePrivilege	4892	WMIC.exe
Token: SeProfSingleProcessPrivilege	4892	WMIC.exe
Token: SeIncBasePriorityPrivilege	4892	WMIC.exe
Token: SeCreatePagefilePrivilege	4892	WMIC.exe
Token: SeBackupPrivilege	4892	WMIC.exe
Token: SeRestorePrivilege	4892	WMIC.exe
Token: SeShutdownPrivilege	4892	WMIC.exe
Token: SeDebugPrivilege	4892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4892	WMIC.exe
Token: SeRemoteShutdownPrivilege	4892	WMIC.exe
Token: SeUndockPrivilege	4892	WMIC.exe
Token: SeManageVolumePrivilege	4892	WMIC.exe
Token: 33	4892	WMIC.exe
Token: 34	4892	WMIC.exe
Token: 35	4892	WMIC.exe
Token: 36	4892	WMIC.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4892	WMIC.exe
Token: SeSecurityPrivilege	4892	WMIC.exe
Token: SeTakeOwnershipPrivilege	4892	WMIC.exe
Token: SeLoadDriverPrivilege	4892	WMIC.exe
Token: SeSystemProfilePrivilege	4892	WMIC.exe
Token: SeSystemtimePrivilege	4892	WMIC.exe
Token: SeProfSingleProcessPrivilege	4892	WMIC.exe
Token: SeIncBasePriorityPrivilege	4892	WMIC.exe
Token: SeCreatePagefilePrivilege	4892	WMIC.exe
Token: SeBackupPrivilege	4892	WMIC.exe
Token: SeRestorePrivilege	4892	WMIC.exe
Token: SeShutdownPrivilege	4892	WMIC.exe
Token: SeDebugPrivilege	4892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4892	WMIC.exe
Token: SeRemoteShutdownPrivilege	4892	WMIC.exe
Token: SeUndockPrivilege	4892	WMIC.exe
Token: SeManageVolumePrivilege	4892	WMIC.exe
Token: 33	4892	WMIC.exe
Token: 34	4892	WMIC.exe
Token: 35	4892	WMIC.exe
Token: 36	4892	WMIC.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	3916	tasklist.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	3588	WMIC.exe
Token: SeSecurityPrivilege	3588	WMIC.exe
Token: SeTakeOwnershipPrivilege	3588	WMIC.exe
Token: SeLoadDriverPrivilege	3588	WMIC.exe
Token: SeSystemProfilePrivilege	3588	WMIC.exe
Token: SeSystemtimePrivilege	3588	WMIC.exe
Token: SeProfSingleProcessPrivilege	3588	WMIC.exe
Token: SeIncBasePriorityPrivilege	3588	WMIC.exe
Token: SeCreatePagefilePrivilege	3588	WMIC.exe
Token: SeBackupPrivilege	3588	WMIC.exe
Token: SeRestorePrivilege	3588	WMIC.exe
Token: SeShutdownPrivilege	3588	WMIC.exe
Token: SeDebugPrivilege	3588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3588	WMIC.exe
Token: SeRemoteShutdownPrivilege	3588	WMIC.exe
Token: SeUndockPrivilege	3588	WMIC.exe
Token: SeManageVolumePrivilege	3588	WMIC.exe
Token: 33	3588	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4792	3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe	83
PID 3004 wrote to memory of 4792	3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe	83
PID 3004 wrote to memory of 4792	3004	b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe	83
PID 4792 wrote to memory of 2284	4792	axplong.exe	84
PID 4792 wrote to memory of 2284	4792	axplong.exe	84
PID 4792 wrote to memory of 2284	4792	axplong.exe	84
PID 4792 wrote to memory of 3176	4792	axplong.exe	85
PID 4792 wrote to memory of 3176	4792	axplong.exe	85
PID 4792 wrote to memory of 3176	4792	axplong.exe	85
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 3176 wrote to memory of 1008	3176	alexshlu.exe	87
PID 4792 wrote to memory of 632	4792	axplong.exe	89
PID 4792 wrote to memory of 632	4792	axplong.exe	89
PID 4792 wrote to memory of 632	4792	axplong.exe	89
PID 632 wrote to memory of 2532	632	AllNew.exe	90
PID 632 wrote to memory of 2532	632	AllNew.exe	90
PID 632 wrote to memory of 2532	632	AllNew.exe	90
PID 4792 wrote to memory of 3248	4792	axplong.exe	91
PID 4792 wrote to memory of 3248	4792	axplong.exe	91
PID 4792 wrote to memory of 3248	4792	axplong.exe	91
PID 3248 wrote to memory of 4680	3248	am209.exe	92
PID 3248 wrote to memory of 4680	3248	am209.exe	92
PID 3248 wrote to memory of 4680	3248	am209.exe	92
PID 4792 wrote to memory of 4360	4792	axplong.exe	99
PID 4792 wrote to memory of 4360	4792	axplong.exe	99
PID 4792 wrote to memory of 4360	4792	axplong.exe	99
PID 4680 wrote to memory of 5028	4680	defnur.exe	110
PID 4680 wrote to memory of 5028	4680	defnur.exe	110
PID 4680 wrote to memory of 5028	4680	defnur.exe	110
PID 4792 wrote to memory of 464	4792	axplong.exe	111
PID 4792 wrote to memory of 464	4792	axplong.exe	111
PID 464 wrote to memory of 5096	464	roblox.exe	113
PID 464 wrote to memory of 5096	464	roblox.exe	113
PID 5096 wrote to memory of 1968	5096	stub.exe	114
PID 5096 wrote to memory of 1968	5096	stub.exe	114
PID 5096 wrote to memory of 400	5096	stub.exe	115
PID 5096 wrote to memory of 400	5096	stub.exe	115
PID 5096 wrote to memory of 5016	5096	stub.exe	116
PID 5096 wrote to memory of 5016	5096	stub.exe	116
PID 400 wrote to memory of 4892	400	cmd.exe	117
PID 400 wrote to memory of 4892	400	cmd.exe	117
PID 5016 wrote to memory of 2704	5016	cmd.exe	118
PID 5016 wrote to memory of 2704	5016	cmd.exe	118
PID 5096 wrote to memory of 3896	5096	stub.exe	119
PID 5096 wrote to memory of 3896	5096	stub.exe	119
PID 3896 wrote to memory of 4220	3896	cmd.exe	120
PID 3896 wrote to memory of 4220	3896	cmd.exe	120
PID 5096 wrote to memory of 4920	5096	stub.exe	121
PID 5096 wrote to memory of 4920	5096	stub.exe	121
PID 5096 wrote to memory of 384	5096	stub.exe	122
PID 5096 wrote to memory of 384	5096	stub.exe	122
PID 4920 wrote to memory of 3064	4920	cmd.exe	123
PID 4920 wrote to memory of 3064	4920	cmd.exe	123
PID 384 wrote to memory of 3176	384	cmd.exe	124
PID 384 wrote to memory of 3176	384	cmd.exe	124
PID 5096 wrote to memory of 4804	5096	stub.exe	126

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe
"C:\Users\Admin\AppData\Local\Temp\b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
    "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
    "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
      "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5028
- - C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe
    "C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
    "C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\stub.exe
      C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:3064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4804
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:2800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:3020
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:2984
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3624
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:3220
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4956
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:4964
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:4196
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:1452
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:4092
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:3768
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:4024
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:4444
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:3316
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:4884
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:2280
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:2364
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:2628
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:2040
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:4836
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:1932
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1652
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:3844
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:548
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3040
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:3624
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3312
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4024
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4820
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2284
- - C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe
    "C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe
      "C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe"
      4⤵
      Executes dropped EXE
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe
      "C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1400
        5⤵
        Program crash
        
        PID:4112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1228
        5⤵
        Program crash
        
        PID:4024
- - C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe
    "C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3484
  - - C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp1E05.tmp"
      4⤵
      PID:1944
- - C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
    "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
      "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4436

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 980 -ip 980
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 980 -ip 980
1⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3316

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_dd2803c7-d377-4f06-bdfe-aea230fc7b0e

Filesize
2KB

MD5
b9b4b324adfa3682245522279ecb4039

SHA1
a6fe3db2d9c8c77705125d132a83fa75bc48551e

SHA256
15c8c2e2edb73245c62f0f28c9f9d4ed1b2266c10852e0a861a08e6deba48607

SHA512
c4828199cacc3fcbb9537533bd62d8185d1d26bb0f43bb8aa20096758178646d81f4f4d3514444d858ede37e5e34ffe85449c6c6311532d441e687e86d6e870c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alexshlu.exe

Filesize
809KB

MD5
9821fa45714f3b4538cc017320f6f7e5

SHA1
5bf0752889cefd64dab0317067d5e593ba32e507

SHA256
fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72

SHA512
90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe

Filesize
3.6MB

MD5
378706614b22957208e09fc84fceece8

SHA1
d35e1f89f36aed26553b665f791cd69d82136fb8

SHA256
df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d

SHA512
bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe

Filesize
10.7MB

MD5
6898eace70e2da82f257bc78cb081b2f

SHA1
5ac5ed21436d8b4c59c0b62836d531844c571d6d

SHA256
bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23

SHA512
ca719707417a095fe092837e870aefc7e8874ef351e27b5b41e40f46a9e2f6cb2ba915858bc3c99a14c2f1288c71c7ddd9c2adee6588d6b43cd3ba276e1585d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006343001\goldlummaa.exe

Filesize
396KB

MD5
876bf2dec67ea8626322d2c268219d76

SHA1
ecb0c0cd486733491804a05cf387f2d04d5e2279

SHA256
08d37bbc1881f5fbfdcc84e3270320bb4d03a3ad4fcdf1d996c9de0ca8f2b425

SHA512
9268392683a9962143f987f069d97016abd1ccd61bb67aa8e3f8d9c4b7aa6168d3c01884ce9023831216b8710eddee2d52fcb3c84dbacefe94cb28fa661b6a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe

Filesize
4.5MB

MD5
38fcaa23700e62fb0b3fc2591f82cc80

SHA1
abedd6ec573a6fede05d15920f3ac3763062c75c

SHA256
fb829a6a8535a443932cd167e8301b5e74c60702b5f7fade7e9f13a736ce72b0

SHA512
5da88a61c716a9891cb225f36f275040d69915c4c731c2a5c042d5c997ca39241a3e9d6646569468d477f47db42462c21b58f2de7f56a84cb145e6cee478eeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe

Filesize
2.5MB

MD5
7ff947867bc70055adffa2164a741b01

SHA1
cff424168c2f6bcef107ebc9bd65590f3ead76ae

SHA256
b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40

SHA512
da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
2.9MB

MD5
ecc31e1414214a49d2635742dc159e01

SHA1
78f904190673245e387da0b2f7a5e8674e430592

SHA256
b73ed2ed32ab497bf28f079a3c0148377fe2460b0177622d9cfced95bf027319

SHA512
cc0f1a850fdaa520aa0145adb3efde042a6a87906d8595f07b31af76fb58179706cd72fdb8a4c870b69b929437954a513ff3b4f95dfd9dcc18767212bbe8c042

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1DD4.tmp

Filesize
2KB

MD5
488400275df7b00707db2ef286ff4e6a

SHA1
ecc68f591350eea2f238face63f10f48c3c0101e

SHA256
a958146824dbe99fb6b339a1b6f1718d8ec6fdac276b6832789a0f0f794b5e4b

SHA512
0dc6adf27918cd236e9d76ab4dca197b57f04677fc06104accaa2c4f26110f9b26fd60695f9b36de8efed91477d3d300a596db241ac4e0e3d3c0e65ef134b32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
2dc3133caeb5792be5e5c6c2fa812e34

SHA1
0ed75d85c6a2848396d5dd30e89987f0a8b5cedb

SHA256
4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7

SHA512
2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qads5gif.4y0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\stub.exe

Filesize
16.1MB

MD5
d09a400f60c7a298e884f90539e9c72f

SHA1
41582ba130bef907e24f87534e7a0fdd37025101

SHA256
700962aa295e2fa207ff522e2f5ca051a2929eb6f252d42c9cb0a56a4f084bfe

SHA512
d8ba2859bb2ea109c1ca33cb924e40bf61db79aefb59324101d9f47a08835d86834790d3bc6bad4151a561ef82265b32d5111bc80f95dce769c5eb4da5116cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_464_133788585681483535\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5BD5F717112A97BCCCBAA0CC6758CAD7C5C2D91F

Filesize
1KB

MD5
d5590aaf214b92c3ba38a2661c645cc6

SHA1
619f6bb1f9646f452f3efe3e27a40a2d7118e9e4

SHA256
3b2575e9a973cb8dfe337b37185568a3b94425ab0570331d78d62f5cbb167d3f

SHA512
7469873c772ef6b1ec5575544e6e3fca0e4d75d40b7d0cb69073d403c94467c17a86c5ad2dc4553202b60ca4783e91e98088e943e793dfa66c00e4f9bd532508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5BD5F717112A97BCCCBAA0CC6758CAD7C5C2D91F

Filesize
1KB

MD5
4eaa7f57e532ad352c9533eeb1e9d941

SHA1
6d5c060a6acb8132161bbf129e2af5a0555c19c6

SHA256
b2be647845bc1b58eec1363674927a8fdab8c5f99856419aa6e9b138b8362c61

SHA512
035c7cc455f192b031377aabdb05bb681cdda1145f21f78deae367d419bb7c3719cb6d9dcd159c0f3452926f7a69f29ed943f2752d8f11f8a024e28d41a482b0

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
memory/464-471-0x00007FF6F53E0000-0x00007FF6F5EB2000-memory.dmp

Filesize
10.8MB

Download
memory/464-443-0x00007FF6F53E0000-0x00007FF6F5EB2000-memory.dmp

Filesize
10.8MB

Download
memory/980-477-0x00000000047B0000-0x0000000004C1E000-memory.dmp

Filesize
4.4MB

Download
memory/980-478-0x00000000047B0000-0x0000000004C1E000-memory.dmp

Filesize
4.4MB

Download
memory/980-476-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/980-372-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/980-371-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1008-54-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1008-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2284-215-0x0000000000090000-0x00000000002F1000-memory.dmp

Filesize
2.4MB

Download
memory/2284-37-0x0000000000090000-0x00000000002F1000-memory.dmp

Filesize
2.4MB

Download
memory/2284-121-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3004-2-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3004-4-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/3004-18-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/3004-3-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/3004-0-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/3004-1-0x0000000077254000-0x0000000077256000-memory.dmp

Filesize
8KB

Download
memory/3316-498-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/3484-394-0x0000022659C50000-0x000002265A0E0000-memory.dmp

Filesize
4.6MB

Download
memory/3484-396-0x0000022674BA0000-0x0000022674D62000-memory.dmp

Filesize
1.8MB

Download
memory/3944-179-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/3944-171-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4360-164-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4360-141-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4360-169-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4360-165-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4360-153-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4360-145-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/4436-474-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/4436-486-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/4436-473-0x00000000000C0000-0x0000000000116000-memory.dmp

Filesize
344KB

Download
memory/4580-366-0x000002455DFB0000-0x000002455DFD2000-memory.dmp

Filesize
136KB

Download
memory/4792-19-0x0000000000561000-0x000000000058F000-memory.dmp

Filesize
184KB

Download
memory/4792-495-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-499-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-22-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-206-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-20-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-110-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-472-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-491-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-475-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-57-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-21-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-111-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-120-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-17-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-488-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-496-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-377-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-487-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-492-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-493-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4792-494-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4820-490-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/4820-489-0x0000000000560000-0x000000000087D000-memory.dmp

Filesize
3.1MB

Download
memory/5096-470-0x00007FF7A33A0000-0x00007FF7A4409000-memory.dmp

Filesize
16.4MB

Download
memory/5096-451-0x00007FF7A33A0000-0x00007FF7A4409000-memory.dmp

Filesize
16.4MB

Download