amadey | 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
Size

1.8MB
MD5

d3506cf793362954f36b7e91edf27871
SHA1

85d608f63a13adfb53d2a2ebef716940f79b6ec8
SHA256

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea
SHA512

69571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd
SSDEEP

49152:uWhmomMAnvVGhvfqzNuUN7e8ZrZhJUELEQEaQMjM+isO61Xl82nY:u+M7nenqMS9XZ2OT11E

Score

10^/10

amadey redline xmrig ama e76b71 discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe family_redline
behavioral1/memory/2740-37-0x0000000000220000-0x0000000000270000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe	family_redline
behavioral1/memory/2740-37-0x0000000000220000-0x0000000000270000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

UPX dump on OEP (original entry point) 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1700 powershell.exe
1656 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1700	powershell.exe
1656	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 11 IoCs

Processes:

axplong.exeama.exegold.exelummac2.exeNewLatest.exeHkbsse.exelegs.exeFirstZ.exetaskweaker.exereakuqnanrkn.exe

pid process

2516 axplong.exe
2740 ama.exe
2172 gold.exe
936 lummac2.exe
564 NewLatest.exe
2324 Hkbsse.exe
2288 legs.exe
1216 FirstZ.exe
2460 taskweaker.exe
480
2260 reakuqnanrkn.exe

pid	process
2516	axplong.exe
2740	ama.exe
2172	gold.exe
936	lummac2.exe
564	NewLatest.exe
2324	Hkbsse.exe
2288	legs.exe
1216	FirstZ.exe
2460	taskweaker.exe
480
2260	reakuqnanrkn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	axplong.exe

Loads dropped DLL 19 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exeWerFault.exeNewLatest.exeWerFault.exeHkbsse.exe

pid	process
2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
2516	axplong.exe
2516	axplong.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
2516	axplong.exe
2516	axplong.exe
2516	axplong.exe
564	NewLatest.exe
2516	axplong.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2324	Hkbsse.exe
2324	Hkbsse.exe
2516	axplong.exe
2516	axplong.exe
480

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1580-367-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

38 pastebin.com
39 pastebin.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

1976 powercfg.exe
2072 powercfg.exe
1108 powercfg.exe
2476 powercfg.exe
2700 powercfg.exe
2780 powercfg.exe
2384 powercfg.exe
1524 powercfg.exe

flow	ioc
38	pastebin.com
39	pastebin.com

pid	process
1976	powercfg.exe
2072	powercfg.exe
1108	powercfg.exe
2476	powercfg.exe
2700	powercfg.exe
2780	powercfg.exe
2384	powercfg.exe
1524	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeFirstZ.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exe

pid process

2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
2516 axplong.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

reakuqnanrkn.exe

description pid process target process

PID 2260 set thread context of 2824 2260 reakuqnanrkn.exe conhost.exe
PID 2260 set thread context of 1580 2260 reakuqnanrkn.exe explorer.exe

description	pid	process	target process
PID 2260 set thread context of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 set thread context of 1580	2260	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 4 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeNewLatest.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2436 sc.exe
1680 sc.exe
2656 sc.exe
332 sc.exe
2748 sc.exe
2808 sc.exe
2976 sc.exe
2248 sc.exe
3032 sc.exe
2220 sc.exe
1064 sc.exe
1508 sc.exe
3012 sc.exe
3068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1780 2172 WerFault.exe gold.exe
2916 2288 WerFault.exe legs.exe

pid	process
2436	sc.exe
1680	sc.exe
2656	sc.exe
332	sc.exe
2748	sc.exe
2808	sc.exe
2976	sc.exe
2248	sc.exe
3032	sc.exe
2220	sc.exe
1064	sc.exe
1508	sc.exe
3012	sc.exe
3068	sc.exe

pid	pid_target	process	target process
1780	2172	WerFault.exe	gold.exe
2916	2288	WerFault.exe	legs.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0c9cb92d2c5da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	axplong.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exeama.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exe

pid	process
2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
2516	axplong.exe
2740	ama.exe
1216	FirstZ.exe
1700	powershell.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
1216	FirstZ.exe
2260	reakuqnanrkn.exe
1656	powershell.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
2260	reakuqnanrkn.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

ama.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2740	ama.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	2700	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeShutdownPrivilege	2780	powercfg.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeShutdownPrivilege	1976	powercfg.exe
Token: SeShutdownPrivilege	2072	powercfg.exe
Token: SeLockMemoryPrivilege	1580	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeNewLatest.exe

pid process

2944 219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
564 NewLatest.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exeaxplong.exegold.exeNewLatest.exelegs.exeHkbsse.execmd.execmd.exereakuqnanrkn.exe

description	pid	process	target process
PID 2944 wrote to memory of 2516	2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe	axplong.exe
PID 2944 wrote to memory of 2516	2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe	axplong.exe
PID 2944 wrote to memory of 2516	2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe	axplong.exe
PID 2944 wrote to memory of 2516	2944	219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe	axplong.exe
PID 2516 wrote to memory of 2740	2516	axplong.exe	ama.exe
PID 2516 wrote to memory of 2740	2516	axplong.exe	ama.exe
PID 2516 wrote to memory of 2740	2516	axplong.exe	ama.exe
PID 2516 wrote to memory of 2740	2516	axplong.exe	ama.exe
PID 2516 wrote to memory of 2172	2516	axplong.exe	gold.exe
PID 2516 wrote to memory of 2172	2516	axplong.exe	gold.exe
PID 2516 wrote to memory of 2172	2516	axplong.exe	gold.exe
PID 2516 wrote to memory of 2172	2516	axplong.exe	gold.exe
PID 2172 wrote to memory of 1780	2172	gold.exe	WerFault.exe
PID 2172 wrote to memory of 1780	2172	gold.exe	WerFault.exe
PID 2172 wrote to memory of 1780	2172	gold.exe	WerFault.exe
PID 2172 wrote to memory of 1780	2172	gold.exe	WerFault.exe
PID 2516 wrote to memory of 936	2516	axplong.exe	lummac2.exe
PID 2516 wrote to memory of 936	2516	axplong.exe	lummac2.exe
PID 2516 wrote to memory of 936	2516	axplong.exe	lummac2.exe
PID 2516 wrote to memory of 936	2516	axplong.exe	lummac2.exe
PID 2516 wrote to memory of 564	2516	axplong.exe	NewLatest.exe
PID 2516 wrote to memory of 564	2516	axplong.exe	NewLatest.exe
PID 2516 wrote to memory of 564	2516	axplong.exe	NewLatest.exe
PID 2516 wrote to memory of 564	2516	axplong.exe	NewLatest.exe
PID 564 wrote to memory of 2324	564	NewLatest.exe	Hkbsse.exe
PID 564 wrote to memory of 2324	564	NewLatest.exe	Hkbsse.exe
PID 564 wrote to memory of 2324	564	NewLatest.exe	Hkbsse.exe
PID 564 wrote to memory of 2324	564	NewLatest.exe	Hkbsse.exe
PID 2516 wrote to memory of 2288	2516	axplong.exe	legs.exe
PID 2516 wrote to memory of 2288	2516	axplong.exe	legs.exe
PID 2516 wrote to memory of 2288	2516	axplong.exe	legs.exe
PID 2516 wrote to memory of 2288	2516	axplong.exe	legs.exe
PID 2288 wrote to memory of 2916	2288	legs.exe	WerFault.exe
PID 2288 wrote to memory of 2916	2288	legs.exe	WerFault.exe
PID 2288 wrote to memory of 2916	2288	legs.exe	WerFault.exe
PID 2288 wrote to memory of 2916	2288	legs.exe	WerFault.exe
PID 2324 wrote to memory of 1216	2324	Hkbsse.exe	FirstZ.exe
PID 2324 wrote to memory of 1216	2324	Hkbsse.exe	FirstZ.exe
PID 2324 wrote to memory of 1216	2324	Hkbsse.exe	FirstZ.exe
PID 2324 wrote to memory of 1216	2324	Hkbsse.exe	FirstZ.exe
PID 2516 wrote to memory of 2460	2516	axplong.exe	taskweaker.exe
PID 2516 wrote to memory of 2460	2516	axplong.exe	taskweaker.exe
PID 2516 wrote to memory of 2460	2516	axplong.exe	taskweaker.exe
PID 2516 wrote to memory of 2460	2516	axplong.exe	taskweaker.exe
PID 1852 wrote to memory of 1412	1852	cmd.exe	wusa.exe
PID 1852 wrote to memory of 1412	1852	cmd.exe	wusa.exe
PID 1852 wrote to memory of 1412	1852	cmd.exe	wusa.exe
PID 936 wrote to memory of 2044	936	cmd.exe	wusa.exe
PID 936 wrote to memory of 2044	936	cmd.exe	wusa.exe
PID 936 wrote to memory of 2044	936	cmd.exe	wusa.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 2824	2260	reakuqnanrkn.exe	conhost.exe
PID 2260 wrote to memory of 1580	2260	reakuqnanrkn.exe	explorer.exe
PID 2260 wrote to memory of 1580	2260	reakuqnanrkn.exe	explorer.exe
PID 2260 wrote to memory of 1580	2260	reakuqnanrkn.exe	explorer.exe
PID 2260 wrote to memory of 1580	2260	reakuqnanrkn.exe	explorer.exe
PID 2260 wrote to memory of 1580	2260	reakuqnanrkn.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe
"C:\Users\Admin\AppData\Local\Temp\219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 84
4⤵
- Loads dropped DLL
- Program crash
PID:1780

C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe"
3⤵
- Executes dropped EXE
PID:936

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
- Drops file in Windows directory
PID:1412

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:2656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:3012

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:3032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:2220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:2748

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:2436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:2808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:2976

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:3068

C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 64
4⤵
- Loads dropped DLL
- Program crash
PID:2916

C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
"C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe"
3⤵
- Executes dropped EXE
PID:2460

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2248

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2824

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe
Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe
Filesize
522KB

MD5
70a578f7f58456e475facd69469cf20a

SHA1
83e147e7ba01fa074b2f046b65978f838f7b1e8e

SHA256
5c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a

SHA512
707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000047001\lummac2.exe
Filesize
310KB

MD5
6e3d83935c7a0810f75dfa9badc3f199

SHA1
9f7d7c0ea662bcdca9b0cda928dc339f06ef0730

SHA256
dc4f0a8e3d12c98eac09a42bd976579ccc1851056d9de447495e8be7519760ed

SHA512
9f6b22bc9d0306a69d3c5bab83c7603fa23925c12089f9608772602ab2c4c0908cda2a3d9592fc0fab4aaff209ef41d3e2a931511ce9dfd027691e8dce9ad9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe
Filesize
659KB

MD5
bbd06263062b2c536b5caacdd5f81b76

SHA1
c38352c1c08fb0fa5e67a079998ef30ebc962089

SHA256
1875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9

SHA512
7faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000094001\taskweaker.exe
Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
d3506cf793362954f36b7e91edf27871

SHA1
85d608f63a13adfb53d2a2ebef716940f79b6ec8

SHA256
219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea

SHA512
69571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41D3.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4459.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
memory/1580-368-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-367-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-382-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-381-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-372-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-374-0x0000000000240000-0x0000000000260000-memory.dmp

Filesize
128KB

Download
memory/1580-369-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-370-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-371-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-375-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1580-373-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1656-357-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1656-356-0x0000000019F40000-0x000000001A222000-memory.dmp

Filesize
2.9MB

Download
memory/1700-350-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1700-349-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/2172-51-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2460-340-0x000000013F880000-0x000000013FEB6000-memory.dmp

Filesize
6.2MB

Download
memory/2516-291-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-19-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-342-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-343-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-344-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-388-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-387-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-309-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-300-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-386-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-18-0x0000000000DA1000-0x0000000000DCF000-memory.dmp

Filesize
184KB

Download
memory/2516-290-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-289-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-288-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-191-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-385-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-384-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-383-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-17-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-341-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-22-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-20-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2516-380-0x0000000000DA0000-0x000000000125E000-memory.dmp

Filesize
4.7MB

Download
memory/2740-37-0x0000000000220000-0x0000000000270000-memory.dmp

Filesize
320KB

Download
memory/2824-365-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2824-359-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2824-358-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2824-360-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2824-362-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2824-361-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2944-0-0x00000000012A0000-0x000000000175E000-memory.dmp

Filesize
4.7MB

Download
memory/2944-16-0x00000000070F0000-0x00000000075AE000-memory.dmp

Filesize
4.7MB

Download
memory/2944-15-0x00000000012A0000-0x000000000175E000-memory.dmp

Filesize
4.7MB

Download
memory/2944-5-0x00000000012A0000-0x000000000175E000-memory.dmp

Filesize
4.7MB

Download
memory/2944-3-0x00000000012A0000-0x000000000175E000-memory.dmp

Filesize
4.7MB

Download
memory/2944-2-0x00000000012A1000-0x00000000012CF000-memory.dmp

Filesize
184KB

Download
memory/2944-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download